Authentication flaw

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It i...

CVE-2024-22402 Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It i...

CVE-2024-22402 Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It i...

CVE-2024-22402 Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It i...

CVE-2024-22402

CVE-2024-22402 concerns the Nextcloud Guests app. The issue is an improper handling of request URLs that lets guest users load pages of apps they should not access, effectively bypassing the app allowlist. Affected Nextcloud Guests versions include 2.4.x, 2.5.x, and 3.0.x (with mitigation guidanc...

CVE-2024-22401 All users can reset the allowed apps list for Nextcloud Guest App users

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or...

CVE-2024-22401 All users can reset the allowed apps list for Nextcloud Guest App users

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or...

CVE-2024-22401 All users can reset the allowed apps list for Nextcloud Guest App users

Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or...

CVE-2024-22401

The CVE-2024-22401 issue affects the Nextcloud Guests app, where non-admin users could alter the allowed-list of apps, enabling use of unintended apps. Affected Nextcloud Guests versions include prior to 2.4.1, prior to 2.5.1, and prior to 3.0.1. Upgrades to 2.4.1, 2.5.1, or 3.0.1 are recommended...

CVE-2024-22400

Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no...

CVE-2024-22403

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no...

Design/Logic Flaw

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the...

Authorization

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no...

Design/Logic Flaw

Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no...

CVE-2024-22404

CVE-2024-22404 is a permissions-bypass in the Nextcloud Files ZIP app. In affected versions, users can download view-only files by zipping an entire folder, bypassing intended access restrictions. Supported mitigations include upgrading the Files ZIP app to version 1.2.1, 1.4.1, or 1.5.0, or disa...

CVE-2024-22404 Permissions bypass in Nextcloud with the files zip app

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to...

CVE-2024-22404 Permissions bypass in Nextcloud with the files zip app

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to...

CVE-2024-22404 Permissions bypass in Nextcloud with the files zip app

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to...

CVE-2024-22403 OAuth2 authorization codes are valid indefinetly in Nextcloud server

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no...

CVE-2024-22403 OAuth2 authorization codes are valid indefinetly in Nextcloud server

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no...