CVE-2024-52513 Nextcloud Server's Attachments folder for Text app is accessible on "Files drop" and "Password protected" shares

Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to...

CVE-2024-52513

Nextcloud Server’s Text app contains an attachments folder that is accessible via Files drop or Password protected shares. A malicious user can download attachments referenced in text files without providing the password after receiving such a share link. Affected versions include Nextcloud Serve...

CVE-2024-52514 Nextcloud Server allows users to copy folder that contain files that are blocked by the files access control

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files...

CVE-2024-52514

Summary of CVE-2024-52514 (Nextcloud Server) : The vulnerability is an access control error where, after a share is blocked by file access controls, a user can copy an intermediate folder and subsequently access blocked files based on user permissions. This affects Nextcloud Server (self-hosted f...

CVE-2024-52514 Nextcloud Server allows users to copy folder that contain files that are blocked by the files access control

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files...

CVE-2024-52514 Nextcloud Server allows users to copy folder that contain files that are blocked by the files access control

Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files...

CVE-2024-52515 Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended...

CVE-2024-52515 Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended...

CVE-2024-52515 Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended...

CVE-2024-52515

The CVE-2024-52515 entry concerns Nextcloud Server where, after an admin enables the default-disabled SVG preview provider, a malicious user could upload an SVG file that references paths, causing the preview to render another file’s contents. Technical details across connected sources confirm th...

CVE-2024-52516 Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them

Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 o...

CVE-2024-52516 Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them

Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 o...

CVE-2024-52516 Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them

Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 o...

CVE-2024-52516

CVE-2024-52516 - Nextcloud Server group-based sharing not revoked The connected PT-Security advisory confirms concrete details: Nextcloud Server (and Enterprise Server) versions prior to specific fixed releases are affected. When a user is removed from a group, shares restricted to that group are...

CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...

CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...

CVE-2024-52517 Nextcloud Server's global credentials of external storages are sent back to the frontend

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...

CVE-2024-52517

CVE-2024-52517 affects Nextcloud Server (and Enterprise Server) where, after storing global credentials for external storage, the API returns them and injects them into the frontend, enabling plaintext read by someone with an active user session. This information disclosure risk is limited to use...

CVE-2024-52518 Nextcloud Server is missing password confirmation when changing external storage options

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded...

CVE-2024-52518 Nextcloud Server is missing password confirmation when changing external storage options

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded...