Public
Nextcloud
bug reports.
4,419
Bug Reports -
$2,030,173
Paid Out
Last Updated:
12th September, 2017
Team
Bounty
Title
Nextcloud
-
ci.nextcloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
Nextcloud
-
Email Spoofing Vulnerability from nextcloud.
Nextcloud
-
Nextcloud Server Remote Command Execution
Nextcloud
-
I am because bug
Nextcloud
-
Wordpress Vulnerable to Potential Unauthorized Password Reset
Nextcloud
-
Missing Rate Limiting protection leading to mass triggering of e-mails
Nextcloud
-
Cross Site Scripting
Nextcloud
-
information disclose
Nextcloud
-
Stored XSS in Gallery application (NC-SA-2017-010)
Nextcloud
-
Content (Text) Injection at https://nextcloud.com
Nextcloud
-
Clickjacking In https://demo.nextcloud.com
Nextcloud
-
Possible SSRF in email server settings(SMTP mode)
Nextcloud
-
The email API to test email-server settings is unlimited and can be used as a email bomb
Nextcloud
-
The email API to reset password is unlimited and can be used as a email bomb
Nextcloud
-
Content Spoofing/Text Injection in https://demo.nextcloud.com
Nextcloud
-
GIT Detected
Nextcloud
-
CSRF token validation is missing
Nextcloud
-
https://portal.nextcloud.com/.htaccess file is readable
Nextcloud
-
Share tokens for public calendars disclosed (NC-SA-2017-011)
Nextcloud
-
Design Issues on ( ███ ) Lead to show ( IPS of Users )
Nextcloud
-
Directory Listing In Subdomain Of nextcloud.com
Nextcloud
$450
Reflected XSS in error pages (NC-SA-2017-008)
Nextcloud
-
Server version/OS type disclosure via HTTP Response Header
Nextcloud
-
Content spoofing due to the improper behavior of the 403 page
Nextcloud
-
Update php-saml library to 2.10.5
Nextcloud
-
Content Spoofing/Text Injection in nextcloud.com
Nextcloud
-
SSRF at apps.nextcloud.com/developer/apps/releases/new
Nextcloud
$250
DOM XSS vulnerability in search dialogue (NC-SA-2017-007)
Nextcloud
-
Invalid request may lead content spoofing for phishing
Nextcloud
-
Content spoofing due to the improper behavior of the 403 page
Nextcloud
-
https://xmpp.nextcloud.com///;@www.google.com allows open redirect
Nextcloud
-
Version 4.7.2 of wordpress is vulnerable
Nextcloud
-
Missing SPF Flags on nextcloud.com
Nextcloud
$183
Calendar and addressbook names disclosed (NC-SA-2017-012)
Nextcloud
-
Wordpress 4.7.1
Nextcloud
-
Email Spoofing
Nextcloud
-
Missing Rate Limit for Current Password field in nextcloud.com
Nextcloud
-
Nextcloud.com is vulnerable to SWEET32 attack
Nextcloud
-
Group admin can remove user from all his groups via API
Nextcloud
-
Drone Nextcloud
Nextcloud
-
HTTP-Basic Authentication on logs.nextcloud.com
Nextcloud
-
Disclosure of administrators via JSON on nextcloud.com Wordpress
Nextcloud
-
WordPress <= 4.6.1 Stored XSS Via Theme File
Nextcloud
-
User Information Disclosure via REST API
Nextcloud
-
bug reporting template encourages users to paste config file with passwords
Nextcloud
-
Review remote code execution in SwiftMailer
Nextcloud
-
Reflected XSS in U2F plugin by shipping the example endpoints
Nextcloud
$300
Limitation of app specific password scope can be bypassed (NC-SA-2017-009)
Nextcloud
-
Stored XSS on new Calling plugin (spreed)
Nextcloud
-
BruteForce in to Admin Account
Nextcloud
-
Login Hints on Admin Panel
Nextcloud
-
Wordpress Version Disclosure Bug On Nextcloud
Nextcloud
-
Files Drop: WebDAV endpoint is leaking existence of resources
Nextcloud
$50
Content Spoofing in "files" app
Nextcloud
-
xss on demo.nextcloud.com due to outdated version
Nextcloud
-
Content spoofing due to the improper behavior of the 403 page in Private Server
Nextcloud
-
URI scheme bypass in mail app lead to HTML content spoof and opener control
Nextcloud
-
Dav sharing permissions issue
Nextcloud
$250
Filename enumeration && DoS
Nextcloud
-
Bad content-type in response header when getting document can lead to html injection
Nextcloud
-
Bypassing quota limit
Nextcloud
-
Content spoofing in lookup.nextcloud.com
Nextcloud
$750
Bypass permissions
Nextcloud
-
Unauthenticated Stored xss
Nextcloud
-
Android - Possible to intercept broadcasts about uploaded files
Nextcloud
-
Privilege escalation - Normal user can somehow make admin to delete shared folders
Nextcloud
$500
Reflected XSS in Gallery App
Nextcloud
-
Reflected Self-XSS Vulnerability in the Comment section of Files (Different-payloads)
Nextcloud
$100
Reflected Self-XSS Vulnerability in the Comment section of Files Information
Nextcloud
-
Slow Http attack on nextcloud(DOS)
Nextcloud
-
Wordpress: Directory Traversal / Denial of Serivce
Nextcloud
-
Expired SSL certificate
Nextcloud
-
\OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype
Nextcloud
-
Information Disclosure of .htaccess file in Private Server/Subdomain
Nextcloud
-
Password Reset Link issue
Nextcloud
-
Content Injection - demo.nextcloud.com
Nextcloud
-
Content Injection - apps.nextcloud.com
Nextcloud
-
XSS on IOS app via HTML rendering
Nextcloud
-
Directory listening enabled in: 88.198.160.130
Nextcloud
-
demo.nextcloud.com: Content spoofing due to default Apache Error Page
Nextcloud
-
Arbitrary File Upload in Logo & Log in image Theming setting.
Nextcloud
-
demo.nextcloud.com: Content spoofing due to default Apache Error Page
Nextcloud
$50
More content spoofing through dir param in the files app
Nextcloud
-
Bookmarks: Delete all existing bookmarks of a user
Nextcloud
$100
IDOR - Disable sharing
Nextcloud
-
xss for admin of https://newsletter.nextcloud.com
Nextcloud
-
[Nextcloud 9.0.53] Content Spoofing in 'trustDomain' parameter
Nextcloud
-
Content spoofing in cloud.nextcloud.com
Nextcloud
-
Information disclosure
Nextcloud
-
The application uses basic authentication.
Nextcloud
$50
Content (Text) Injection at NextCloud Server 9.0.52 - via http://custom_nextcloud_url/remote.php/dav/files/
Nextcloud
-
[Thirdparty] Stored XSS in chat module - nextcloud server 9.0.51 installed in ubuntu 14.0.4 LTS
Nextcloud
-
No Rate Limiting on stats.nextcloud.com login
Nextcloud
-
Deny access to download.nextcloud.com + folders
Nextcloud
-
Log pollution can lead to HTML Injection.
Nextcloud
-
REG: Content provider information leakage
Nextcloud
-
Email ID Disclosure.
Nextcloud
-
WordPress Vulnerabilities: User Enumeration, Vulnerable Akismet Plugin, XML-RPC Interface available
Nextcloud
$100
Read-only share recipient can restore old versions of file
Nextcloud
$250
Uploading files to a folder where invited user don't have any EDIT privilege
Nextcloud
-
Password reset link remains valid after email change
Nextcloud
-
Content Injection in subdomain
Nextcloud
-
Content injection in subdomain
Nextcloud
-
Content Spoofing/Text Injection - docs.nextcloud.org
Nextcloud
-
Content Injection 404 page
Nextcloud
-
Business/Functional logic bypass: Remove admins from admin group.
Nextcloud
-
help.nextcloud Email Address/Username enumeration
Nextcloud
-
newsletter.nextcloud.com: Bypass firewall protection
Nextcloud
-
Bruteforcing help.nextcloud.com
Nextcloud
-
Bruteforce attack is possible on newsletter.nextcloud.com
Nextcloud
-
No captcha on newsletter.nextcloudcom leaves vulnerable to email spammers
Nextcloud
-
Avatar image upload and bypass real image verification
Nextcloud
-
https://newsletter.nextcloud.com Directory listening and Information Disclosure
Nextcloud
-
Lost Password CSRF
Nextcloud
-
Directory Listing On download.nextcloud.com & Practical Attacks on PGP (Pretty Good Privacy)
Nextcloud
-
Server side request forgery (SSRF) on nextcloud implementation.
Nextcloud
-
Vulnerable Javascript library
Nextcloud
-
nextcloud.com: Directory listening for 'wp-includes' forders
Nextcloud
-
failure to invalidate session on password change
Nextcloud
$50
Nextcloud server software: Content Spoofing
Nextcloud
-
No rate limiting on password protected shared file link
Nextcloud
-
nextcloud.com: Mail Bombing ( No Rate Limiting On Sending Emails On Contact us Page)
Nextcloud
$350
Share owner has no possibility to list all existing derived shares
Nextcloud
-
help.nextcloud.com: Session Management Issue
Nextcloud
-
help.nextcloud.com: Known DoS condition (null pointer deref) in Nginx running
Nextcloud
-
No permission set on Activities [Android App]
Nextcloud
-
Enumeration of subscribed users and unauthenticated email unsubscriptions on https://newsletter.nextcloud.com/?p=unsubscribe
Nextcloud
-
Response Header injection using redirect_uri together with PHP that utilizes Header Folding according to RFC1945 and Internet Explorer 11
Nextcloud
-
stats.nextcloud.com: Content Injection
Nextcloud
-
Content Spoofing
Nextcloud
$750
Stored XSS on Share-popup of a directory's Gallery-view
Nextcloud
-
nextcloud.com: Content Injection Custom 404 Error