All Categories
  • 1st Steps
  • Authentication
  • Branding
  • Changelogs
  • Collaboration
  • Compliance
  • Customization
  • Desktop Client
  • External Storage
  • Frequently Asked Questions
  • Installation
  • Migrations
  • Mobile Clients
  • Nextcloud Context Chat
  • Nextcloud Flow (Windmill integration)
  • Nextcloud Talk
  • Operations
  • Partner Products
  • Roundcubemail
  • Scalability
  • Security
  • Contextualizing Security Report Results

    1. Bootstrap Version 3.3.x

    The string "Bootstrap v3.3.x" appears in some bundled JavaScript files because it is part of a copyright comment in a SCSS file in a dependency. However, Bootstrap v3.3.x JavaScript code is not used anywhere, only some SCSS rules copied over that are not vulnerable.

    1. unsafe-inline Content Security Policy

    Nextcloud is not using the unsafe-inline CSP for scripts, only for styles. It is an accepted risk on the side of Nextcloud, and considered a low risk. The unsafe-inline CSP is considered a Technical Debt and will disappear as the code base moves forward towards a rewrite in Vue for the frontend.

    1. User Enumeration on various endpoints

    There are various endpoints that might show up in a security report that are susceptible to User Enumeration. This is an accepted risk on the side of Nextcloud, and considered a low risk. Due to the collaborative nature of Nextcloud, such as the possibility of federating with another Nextcloud instance, User Enumeration is even a necessity.

    More details on the Threat Model for Nextcloud can be found at https://nextcloud.com/security/threat-model/