PT-2020-20000 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server version 18.0.4 Description: A too small set of random characters being used for encryption allowed decryption in a shorter time than intended. Recommendations: For Nextcloud Server version 18.0.4, update to a version that use...

PT-2020-20067 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server version 19.0.1 Description: The issue is related to insufficient protection of server-side encryption keys, allowing an attacker to replace these keys. Recommendations: For Nextcloud Server version 19.0.1, update to a version...

PT-2020-20047 · Nextcloud +1 · Nextcloud Server +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Server version 19.0.1 Description: The issue arises from a misconfiguration in Nextcloud Server, where the user is incorrectly led to believe that passwordless WebAuthn also serves as two-factor verification. This misconception occu...

PT-2020-20008 · Nextcloud +2 · Nextcloud Server +2

Name of the Vulnerable Software and Affected Versions: Nextcloud Server version 19.0.0 Description: A logic error caused the plaintext storage of the share password when it was given on the initial create API call. Recommendations: For Nextcloud Server version 19.0.0, update to a version that fix...

CVE-2020-8223

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves...

Privilege escalation

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves...

Improper integrity protection of server-side encryption keys (NC-SA-2020-041)

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys...

Denial of Service by requesting to reset a password (NC-SA-2021-003)

A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user...

Improper confidentiality protection of server-side encryption keys (NC-SA-2020-040)

Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on...

Downgrade encryption scheme and break integrity through known-plaintext attack (NC-SA-2020-039)

A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files...

Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)

A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file...

Increase random used for encryption (NC-SA-2020-023)

A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended...

Nextcloud Server Cross-Site Scripting Vulnerability (CNVD-2021-28008)

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A cross-site scripting vulnerability exists in the Files PDF viewer in Nextcloud Server versions prior to 18.0.3. The vulnerability stems from a lack of prope...

Nextcloud Server 18.x < 18.0.3 XSS Vulnerability (NC-SA-2020-019)

Nextcloud Server is prone to a cross-site scripting vulnerability in the Files PDF viewer. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE ...

CVE-2020-8154

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint...

CVE-2020-8155

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF...

Design/Logic Flaw

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint...

CVE-2020-8155

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF...

CVE-2020-8155

CVE-2020-8155 is addressed in Nextcloud security updates across multiple distributions. OpenSUSE and Fedora advisories show Nextcloud updates (e.g., openSUSE-2020-670, openSUSE-2020-0670-1, FEDORA_2020-C9863904DE/NASLs) that fix CVE-2020-8155. The openSUSE entries describe CVE-2020-8155 as a dire...

CVE-2020-8154

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint...