Nextcloud Desktop
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Nextcloud Desktop.
By the Year
In 2024 there have been 2 vulnerabilities in Nextcloud Desktop with an average score of 8.5 out of ten. Last year Desktop had 6 security vulnerabilities published. Right now, Desktop is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 1.72.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 2 | 8.45 |
2023 | 6 | 6.73 |
2022 | 5 | 5.88 |
2021 | 4 | 7.13 |
2020 | 5 | 6.34 |
2019 | 0 | 0.00 |
2018 | 0 | 0.00 |
It may take a day or so for new Desktop vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Nextcloud Desktop Security Vulnerabilities
In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux
CVE-2024-46958
9.1 - Critical
- September 16, 2024
In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer
CVE-2024-37885
7.8 - High
- June 14, 2024
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
Code Injection
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server
CVE-2023-29000
6.5 - Medium
- April 04, 2023
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available.
Improper Certificate Validation
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server
CVE-2023-28998
6.1 - Medium
- April 04, 2023
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.? Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
Missing Cryptographic Step
Nextcloud is an open-source productivity platform
CVE-2023-28999
6.4 - Medium
- April 04, 2023
Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.? This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.
Missing Encryption of Sensitive Data
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server
CVE-2023-28997
6.5 - Medium
- April 04, 2023
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
Reusing a Nonce, Key Pair in Encryption
The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer
CVE-2023-23942
6.1 - Medium
- February 06, 2023
The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.
XSS
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud
CVE-2023-22472
8.8 - High
- January 09, 2023
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2.
Session Riding
Nexcloud desktop is the Desktop sync client for Nextcloud
CVE-2022-39332
5.4 - Medium
- November 25, 2022
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
XSS
Nexcloud desktop is the Desktop sync client for Nextcloud
CVE-2022-39333
6.1 - Medium
- November 25, 2022
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
XSS
Nexcloud desktop is the Desktop sync client for Nextcloud
CVE-2022-39331
5.4 - Medium
- November 25, 2022
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
XSS
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers
CVE-2022-39334
4.7 - Medium
- November 25, 2022
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
Improper Certificate Validation
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer
CVE-2022-41882
7.8 - High
- November 11, 2022
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. As a workaround, users can block the Nextcloud Desktop client 3.6.0 by setting the `minimum.supported.desktop.version` system config to `3.6.1` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing files can still be used. Another workaround would be to enforce shares to be accepted by setting the `sharing.force_share_accept` system config to `true` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing shares can still be abused.
Code Injection
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer
CVE-2021-37617
7.3 - High
- August 18, 2021
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system.
DLL preloading
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer
CVE-2021-32728
6.5 - Medium
- August 18, 2021
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.
Improper Certificate Validation
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
CVE-2021-22895
5.9 - Medium
- June 11, 2021
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
Improper Certificate Validation
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs
CVE-2021-22879
8.8 - High
- April 14, 2021
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
Injection
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8225
7.5 - High
- September 18, 2020
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
Cleartext Storage of Sensitive Information
A cross-site scripting error in Nextcloud Desktop client 2.6.4
CVE-2020-8189
5.4 - Medium
- August 21, 2020
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.
XSS
A memory corruption vulnerability exists in NextCloud Desktop Client v2.6.4 where missing ASLR and DEP protections in for windows
CVE-2020-8230
5.5 - Medium
- August 17, 2020
A memory corruption vulnerability exists in NextCloud Desktop Client v2.6.4 where missing ASLR and DEP protections in for windows allowed to corrupt memory.
Memory Corruption
A code injection in Nextcloud Desktop Client 2.6.4
CVE-2020-8224
7.8 - High
- August 10, 2020
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
Code Injection
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4
CVE-2020-8229
5.5 - Medium
- August 10, 2020
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.
Memory Leak
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Nextcloud Desktop or by Nextcloud? Click the Watch button to subscribe.