CVE-2019-5454

CRITICAL

Nextcloud - SQL Injection

Title source: rule

Description

SQL Injection in the Nextcloud Android app prior to version 3.0.0 allows to destroy a local cache when a harmful query is executed requiring to resetup the account.

Exploits (1)

nomisec WRITEUP

by shanika04 · poc

https://github.com/shanika04/nextcloud_android

View Code ZIP pw:eip

References (1)

[Patch, Third Party Advisory] https://hackerone.com/reports/291764

Scores

CVSS v3 9.8

EPSS 0.0050

EPSS Percentile 66.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (13)

nextcloud/nextcloud 1.0.0

nextcloud/nextcloud 1.0.1

nextcloud/nextcloud 1.1.0 (3 CPE variants)

nextcloud/nextcloud 1.2.0 (3 CPE variants)

nextcloud/nextcloud 1.3.0 (3 CPE variants)

nextcloud/nextcloud 1.3.1

nextcloud/nextcloud 1.4.0 (5 CPE variants)

nextcloud/nextcloud 1.4.1 (5 CPE variants)

nextcloud/nextcloud 1.4.2 (5 CPE variants)

nextcloud/nextcloud 1.4.3

... and 3 more

Published Jul 30, 2019

Tracked Since Feb 18, 2026