CVE-2024-22403 OAuth2 authorization codes are valid indefinetly in Nextcloud server

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no...

CVE-2024-22400

The CVE-2024-22400 issue affects Nextcloud User SAML, an app for authenticating Nextcloud users via SAML. Affected versions allow an open redirect: a user_saml RelayState parameter can redirect to an uncontrolled third-party server. Mitigation per sources is to upgrade the User SAML app to versio...

CVE-2024-22400 Open redirect in user_saml via RelayState parameter in Nextcloud User Saml

Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no...

CVE-2024-22400 Open redirect in user_saml via RelayState parameter in Nextcloud User Saml

Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no...

CVE-2024-22212

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector i...

Design/Logic Flaw

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector i...

CVE-2024-22213 Cross-site Scripting when sending HTML as a comment in the Nextcloud Deck app

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the...

CVE-2024-22213

CVE-2024-22213 affects Nextcloud Deck (kanban-style app) and enables cross-site scripting via HTML submitted as a comment. The root cause is untrusted HTML execution in the Deck comment flow, allowing malicious code to run in a user’s browser. Affected versions include Deck 1.9.x and 1.10.x lines...

CVE-2024-22213 Cross-site Scripting when sending HTML as a comment in the Nextcloud Deck app

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the...

CVE-2024-22213 Cross-site Scripting when sending HTML as a comment in the Nextcloud Deck app

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the...

CVE-2024-22212 Nextcloud global site selector authentication bypass

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector i...

CVE-2024-22212 Nextcloud global site selector authentication bypass

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector i...

CVE-2024-22212 Nextcloud global site selector authentication bypass

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector i...

CVE-2024-22212

CVE-2024-22212 concerns the Nextcloud Global Site Selector, where a flaw in the password verification method allows an attacker to authenticate as another user. Affected versions require upgrades to 1.4.1, 2.1.2, 2.3.4, or 2.4.5; no public workarounds are noted in the provided documents. There ar...

Open redirect in user_saml via RelayState parameter

None...

Improper handling of request URLs in Guests app allows guest users to bypass app allowlist

None...

OAuth2 authorization codes are valid indefinetly

None...

Self XSS when sending HTML as a comment in the Deck app

None...

Global site selector authentication bypass

None...

PT-2024-19391 · Nextcloud · Nextcloud User Saml

Name of the Vulnerable Software and Affected Versions: Nextcloud User Saml versions prior to 5.1.5 Nextcloud User Saml versions prior to 5.2.5 Nextcloud User Saml versions prior to 6.0.1 Description: Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions...