CVE-2023-26482 Scope of workflow operations is not validated in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs,...

Nextcloud 操作系统命令注入漏洞

Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. An operating system command injection vulnerability exists in Nextcloud server, which stems from an unvalidated workflow scope of operation that results in the...

Nextcloud 代码问题漏洞

Nextcloud is an open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, a German company. A code issue vulnerability exists in Nextcloud server that stems from the ability to control file names when uploading a website icon as an administrator ...

PT-2023-2469 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4 Description: The issue is related to the lack of restrictions on file uploads in the Nextcloud server, allowing administrators to upload a logo or favicon wi...

Nextcloud 安全漏洞

Nextcloud is a suite of open source, self-hosted file synchronization and sharing communication application platform from Nextcloud Germany. A security vulnerability exists in Nextcloud serve, which stems from a sharing conflict that can occur in recipients when caching is enabled. Affected...

PT-2023-2468 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4 Description: The issue is related to the generated fallback password when creating a share in Nextcloud Server, which uses a weak complexity random number...

SUSE CVE-2023-25817

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the...

CVE-2023-25817 Delete permissions are not saved when creating public share in Nextcloud server

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the...

CVE-2023-25818

CVE-2023-25818 affects Nextcloud Server in multiple versions: 24.0.0–24.0.10 and 25.0.0–25.0.4 (and related Enterprise/server variants). The root cause is lack of brute-force protection on authentication-related endpoints (password resets), enabling potential password-guessing attacks. A throttle...

CVE-2023-25818 Missing brute force protection on password reset token in Nextcloud Server

Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit 704eb3aa password reset attempts are now throttled. Note...

SUSE CVE-2023-25820

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud...

Default credentials

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud...

CVE-2023-25820 Nextcloud Server and Enterprise Server missing brute force protection on password confirmation modal

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud...

CVE-2023-25820

CVE-2023-25820 affects Nextcloud Server and Enterprise Server: if an attacker gains access to an already logged-in user session, they can brute-force the password on the confirmation endpoint. Affected ranges and patches per sources include Nextcloud Server 24.0.x < 24.0.10 and 25.0.x < 25....

PT-2023-20326 · Nextcloud +1 · Nextcloud Enterprise Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions 24.0.x through 24.0.9 Nextcloud Server versions 25.0.x through 25.0.4 Nextcloud Enterprise Server versions 21.x through 21.0.9.9 Nextcloud Enterprise Server versions 22.x through 22.2.0.9 Nextcloud Enterprise Server...

No password length restriction in reset password endpoint

None...

SUSE CVE-2023-25579

Nextcloud server is a self hosted home cloud product. In affected versions the OC\Files\Node\Folder::getFullPath function was validating and normalizing the string in the wrong order. The function is used in the newFile and newFolder items, which may allow to creation of paths outside of ones own...

CVE-2023-25579 Directory traversal in Nextcloud server

Nextcloud server is a self hosted home cloud product. In affected versions the OC\Files\Node\Folder::getFullPath function was validating and normalizing the string in the wrong order. The function is used in the newFile and newFolder items, which may allow to creation of paths outside of ones own...

Potential directory traversal in OC\Files\Node\Folder::getFullPath

None...

SUSE CVE-2017-0936

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could...