Debian Nextcloud-Desktop vulnerabilities

CVE-2025-47792 [MEDIUM] CVE-2025-47792: nextcloud-desktop - Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextc... Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No known wo

CVE-2025-66549 [LOW] CVE-2025-66549: nextcloud-desktop - Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, whe... Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5. Scope: local bookworm: open bullseye: open for

CVE-2024-52510 [MEDIUM] CVE-2024-52510: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later. Scope: local book

CVE-2024-37885 [LOW] CVE-2024-37885: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0. Scope: local bookworm

CVE-2024-46958 [CRITICAL] CVE-2024-46958: nextcloud-desktop - In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (... In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixed in 3.15.0-1) sid: resolved (fixed in 3.15.0-1) trixie: resolved (fixed in 3.15.0-1)

CVE-2023-28997 [MEDIUM] CVE-2023-28997: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. Sc

CVE-2023-29000 [MEDIUM] CVE-2023-29000: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in

CVE-2023-28999 [MEDIUM] CVE-2023-28999: nextcloud-desktop - Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3... Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue i

CVE-2023-28998 [MEDIUM] CVE-2023-28998: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.​ Users should upgrade the Nextcloud Desktop client to 3

CVE-2023-23942 [MEDIUM] CVE-2023-23942: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Ser... The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommende

CVE-2022-39332 [MEDIUM] CVE-2022-39332: nextcloud-desktop - Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can injec... Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Scope: local bookworm: resolved (fixed in 3.6.1-

CVE-2022-39331 [MEDIUM] CVE-2022-39331: nextcloud-desktop - Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can injec... Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Scope: local bookworm: resolved (fixed in 3.6.1-1) bullseye

CVE-2022-39333 [MEDIUM] CVE-2022-39333: nextcloud-desktop - Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can injec... Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Scope: local bookworm: resolved (fixed in 3.6.1-1) bullseye: resolved (fixed in

CVE-2022-41882 [MEDIUM] CVE-2022-41882: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometime

CVE-2022-39334 [LOW] CVE-2022-39334: nextcloud-desktop - Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used f... Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does

CVE-2021-22879 [HIGH] CVE-2021-22879: nextcloud-desktop - Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by w... Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation. Scope: local bookworm: resolved (fixed in 3.1.1-2) bullseye: resolved (fixed in 3.1.1-2) forky: resolved (fixed in 3.1.1-2) sid: resolved (fixe

CVE-2021-22895 [MEDIUM] CVE-2021-22895: nextcloud-desktop - Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate vali... Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. Scope: local bookworm: resolved (fixed in 3.3.1-1) bullseye: resolved (fixed in 3.1.1-2+deb11u1) forky: resolved (fixed in 3.3.1-1) sid: resolved (fixed in 3.3.1-1) trixie: reso

CVE-2021-32728 [MEDIUM] CVE-2021-32728: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate.

CVE-2021-37617 [HIGH] CVE-2021-37617: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Serve... The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by reg

CVE-2020-8225 [HIGH] CVE-2020-8225: nextcloud-desktop - A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 g... A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials. Scope: local bookworm: resolved (fixed in 3.0.1-1) bullseye: resolved (fixed in 3.0.1-1) forky: resolved (fixed in 3.0.1-1) sid: resolved (fixed in 3.0.1-1) trixie: resolved (fixed in 3.0.1-1)