Nextcloud: Authentication bypass in Global Site Selector allows an attacker to log in as any user

Authentication bypass vulnerability in software allowed attacker to bypass authentication and log in as any user...

Nextcloud: RCE on Wordpress website

A remote code execution vulnerability was exploited on a WordPress website due to unsafe deserialization of user input. This allowed arbitrary code execution as the web server user...

Nextcloud: Can download files by zipping the folder

A vulnerability was identified where files could be downloaded without proper permissions by zipping and downloading a folder, despite not having direct download access. This allowed circumvention of view-only restrictions...

Nextcloud: App PIN code can be bypassed in Files iOS

A vulnerability was discovered in the PIN code implementation of the Files iOS app version 4.9.1 that allowed an attacker to bypass the PIN code protection via brute force due to lack of rate limiting, enabling unauthorized access to the app...

Nextcloud: Bruteforce protection in password verification can be bypassed

A vulnerability was found where the IP address used for brute force protection in Nextcloud server could be bypassed by adding a valid X-Forwarded-For header. This allowed an attacker to bypass the brute force protection and brute force login credentials...

The vulnerability of cloud-based software for creating and using Nextcloud storage solutions lies in the storage of OAuth2 tokens in an exposed manner. This allows attackers to gain access to the server and enhance their privileges.

The vulnerability of cloud-based software for creating and using Nextcloud storage involves the storage of OAuth2 tokens in an exposed manner. Exploiting this vulnerability could allow a malicious actor to gain access to the server and enhance their privileges...

The vulnerability of the Memcached component of cloud software for creating and using Nextcloud data storage allows a attacker to cause a service failure.

The vulnerability of the Memcached component in cloud software for creating and using a data storage service for Nextcloud is related to the use of Memcached as memcache.distributed. Limiting the server’s performance may unexpectedly cause the performance counter to be reset earlier than expected...

The vulnerability of the Nextcloud calendar application, a cloud-based software for creating and using Nextcloud data storage, allows a hacker to cause a service failure.

The vulnerability of the Nextcloud calendar application, a cloud-based software for creating and using Nextcloud data storage, stems from the lack of preliminary checks by the server to verify the validity of email addresses when sending emails. Exploiting this vulnerability could allow an attack...

ROS-20231024-03

The OAuth2 token vulnerability of the cloud-based software for creating and utilizing Nextcloud storage Nextcloud data storage software is related to the storage of OAuth2 tokens in plaintext. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to the server a...

The vulnerability of the application interface for WebDAV cloud software for creating and using Nextcloud data storage allows a perpetrator to gain access to confidential information.

The vulnerability of the WebDAV application programming interface of cloud-based software for creating and using Nextcloud data storage solutions is related to insufficient restrictions on authentication attempts. Exploiting this vulnerability could allow a malicious actor to gain access to...

ROS-20231020-02

A vulnerability in the Nextcloud calendar application for cloud-based software for creating and Nextcloud data storage software is related to the server's lack of pre-checks for strings of any length as an email address. of any length as an e-mail address. Exploitation of the vulnerability could...

ROS-20231019-01

Vulnerability in Nextcloud cloud storage creation and utilization software is related to lack of protection and allows password mining in WebDAV API. Exploitation of the vulnerability could allow an attacker acting remotely to gain access to confidential information...

SUSE CVE-2023-45149

Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the...

SUSE CVE-2023-45151

Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their...

SUSE CVE-2023-45148

Nextcloud is an open source home cloud server. When Memcached is used as memcache.distributed the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgra...

SUSE CVE-2023-45660

Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0...

SUSE CVE-2023-45150

Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended th...

SUSE CVE-2023-39960

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing...

Nextcloud: Delete external storage of any user

An external storage vulnerability was discovered that allowed standard users to delete external storage resources from any user account in the application. By modifying a system-generated ID, unauthorized users could remove externally linked storage without special privileges, potentially resulti...

Nextcloud Server 25.x < 25.0.8, 26.x < 26.0.3, 27.x < 27.0.1 Improper Access Control Vulnerability (GHSA-hhgv-jcg9-p4m9)

Nextcloud Server is prone to an improper access control vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...