Nextcloud Contacts
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Nextcloud Contacts.
By the Year
In 2024 there have been 0 vulnerabilities in Nextcloud Contacts . Last year Contacts had 1 security vulnerability published. Right now, Contacts is on track to have less security vulnerabilities in 2024 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 0 | 0.00 |
2023 | 1 | 4.30 |
2022 | 0 | 0.00 |
2021 | 3 | 5.40 |
2020 | 1 | 4.30 |
2019 | 0 | 0.00 |
2018 | 1 | 4.80 |
It may take a day or so for new Contacts vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nextcloud Contacts Security Vulnerabilities
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing
CVE-2023-33182
4.3 - Medium
- May 30, 2023
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4
Nextcloud is an open-source, self-hosted productivity platform
CVE-2021-39221
5.4 - Medium
- October 25, 2021
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy.
XSS
A missing file type check in Nextcloud Contacts 3.4.0
CVE-2020-8280
5.4 - Medium
- January 06, 2021
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.
XSS
A missing file type check in Nextcloud Contacts 3.3.0
CVE-2020-8281
5.4 - Medium
- January 06, 2021
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.
XSS
A missing file type check in Nextcloud Contacts 3.2.0
CVE-2020-8181
4.3 - Medium
- July 10, 2020
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.
Unrestricted File Upload
In Nextcloud Contacts before 2.1.2
CVE-2018-3764
4.8 - Medium
- July 05, 2018
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Nextcloud Contacts or by Nextcloud? Click the Watch button to subscribe.