resolved
Information Exposure Through Directory Listing
Bug reported by Md. Farhad Ali was disclosed at September 29, 2025, 3:53 pm | Information Exposure Through Directory Listing
The web server was configured to display a list of files contained in the directory. This is not recommended as the directory may have contained files that were not normally exposed through links on the website.
resolved
Email not verified when changing afterwards on apps.nextcloud.com
Bug reported by Md. Farhad Ali was disclosed at September 29, 2025, 3:50 pm | Violation of Secure Design Principles
The email verification bypass vulnerability was discovered in the web application apps.nextcloud.com. The vulnerability allowed attackers to create accounts with any email address without verification, effectively taking over victim accounts.
resolved
Exposing debug.log file leads to server full path disclosure
Bug reported by Md. Farhad Ali was disclosed at September 29, 2025, 3:50 pm | Business Logic Errors
The debug.log file on the nextcloud.com website was publicly accessible and contained sensitive information, including the server's full directory path. This type of information disclosure could have assisted attackers in understanding the internal structure of the server.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
