CVE: CVE-2017-0891, CVE-2017-8896
Both have bug bounty programs via HackerOne platform. I got rewards for both, NextCloud was very fast with the fix and good rewards, NextCloud rewarded me with 450$. Owncloud rewarded me with 150$ and they didn't give enough answers via HackerOne.
A vulnerability has been discovered in Pandora FMS that permits an unautheticated user to change the password for any Pandora user without knowing the actual user password. The vulnerability occurs at the login screen due to the session not being checked before the password is changed.
An open redirect vulnerability has been detected in the login form. This vulnerability allows to an attacker redirect to arbitrary websites through the WatchGuard Fireware XTM Web UI Page.
This file browser is vulnerable to path traversal and allow to an attacker to access to files and directories that are stored outside the web root folder.
The administrator panel of K2 suffers multiple reflected cross site scripting. An attacker could trick to an administrator to click in a malicious URL and steal his cookie or redirect to a malicious site to generate new attack vectors (e.g. launch exploits against his browser). This XSS just affects to administrators so the range of attacks is limited but still is being a risk.