Nextcloud: Attachments folder for Text app is accessible on Files Drop/Password protected shares

The Nextcloud Text app's attachments folder was found to be accessible on Files Drop/Password protected shares...

Nextcloud: ID4me feature of OpenID connect app available even when disabled

The useroidc app in Nextcloud allowed the registration of new accounts by accessing the /apps/useroidc/id4me endpoint, even when the ID4Me feature was disabled. This was caused by the setting to enable/disable ID4Me having no effect on the accessibility of the controllers...

The vulnerability of cloud-based software for creating and using Nextcloud Server’s data storage solution lies in the lack of authentication attempt limits, allowing attackers to bypass passwords.

The vulnerability of cloud-based software for creating and using Nextcloud Server storage solutions is related to the absence of restrictions on authentication attempts. Exploiting this vulnerability can allow a malicious actor to bypass any password restrictions...

The vulnerability of cloud-based software for creating and using Nextcloud Server’s data storage system is related to improper access control. This allows a malicious individual to gain unauthorized access to protected information.

The vulnerability of cloud-based software for creating and using Nextcloud Server storage solutions is related to improper access control. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

The vulnerability of cloud-based software for creating and using Nextcloud Server’s data storage solution lies in the lack of authentication attempt limits, which allows attackers to bypass the authentication process.

The vulnerability of cloud-based software for creating and using Nextcloud Server storage solutions is related to the lack of restrictions on authentication attempts. Exploiting this vulnerability can allow a malicious actor to bypass the authentication process remotely...

The vulnerability of cloud-based software for creating and using Nextcloud Server’s data storage solution lies in the lack of authentication attempt limits. This allows attackers to execute a brute-force attack.

The vulnerability of cloud-based software for creating and using Nextcloud Server’s data storage solution is related to the lack of restrictions on authentication attempts. Exploiting this vulnerability allows a malicious actor to carry out a brute-force attack...

The vulnerability of cloud-based software for creating and using NextCloud Server’s data storage system is related to lack of access control. This allows a malicious individual to modify or delete VCards from the system address book on the NextCloud server.

The vulnerability of the index.php component in the Enterprise Server software package, a cloud-based software for creating and managing data storage in NextCloud Server, is related to inadequate access control mechanisms. Exploiting this vulnerability could allow an attacker to remotely modify o...

The vulnerability of cloud software for creating and using Nextcloud Server’s data storage system, related to the unencrypted storage of critical information, allows attackers to compromise the passwords of arbitrary users.

The vulnerability of cloud software for creating and using Nextcloud Server storage involves the unencrypted storage of critical information. Exploiting this vulnerability can allow attackers to disclose the passwords of arbitrary users...

The vulnerability of cloud software for creating and using Nextcloud Server’s data storage solution lies in the incorrect expiration time of user sessions, which allows attackers to intercept user sessions.

The vulnerability of cloud software for creating and using Nextcloud Server storage solutions is related to incorrect session duration. Exploiting this vulnerability can allow attackers to intercept user sessions...

The vulnerability of cloud software for creating and using Nextcloud Server’s data storage system lies in insufficiently checking incoming requests, allowing attackers to execute SSRF attacks.

The vulnerability of cloud software for creating and using Nextcloud Server storage solutions is related to insufficient checking of incoming requests. Exploiting this vulnerability can allow a malicious actor to execute an SSRF attack remotely...

The vulnerability of cloud software for creating and using Nextcloud Server’s data storage solution lies in the incorrect expiration time of sessions, which allows attackers to bypass authentication processes.

The vulnerability of cloud software for creating and using Nextcloud Server storage solutions is related to incorrect session expiration times. Exploiting this vulnerability can allow a malicious actor to bypass authentication processes remotely...

The vulnerability of the software for creating and using the Nextcloud Server’s data storage solution lies in its use of open redirection, which allows a hacker to redirect users to any arbitrary URL address.

The vulnerability of cloud software for creating and using Nextcloud Server storage relates to the use of open redirection. Exploiting this vulnerability could allow a malicious actor to redirect users to an arbitrary URL address...

The vulnerability of cloud software for creating and using Nextcloud Server’s data storage solution lies in the improper assignment of permissions to files, allowing a hacker to delete any files they desire.

The vulnerability of cloud-based software for creating and using Nextcloud Server storage solutions is related to the improper assignment of permissions for files. Exploiting this vulnerability could allow a malicious actor to delete any files they desire...

SUSE CVE-2024-22403

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no...

Nextcloud: Deck app allows to spoof file extensions by using RTLO characters

The Deck app was found to allow spoofing of file extensions by using RTLO characters...

CVE-2024-22402

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It i...

CVE-2024-22401

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or...

CVE-2024-22404

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to...

Code injection

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to...

Design/Logic Flaw

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or...