The vulnerability of cloud-based software for creating and using Nextcloud data storage solutions is related to improper access control. This allows a hacker to delete any personal or global external storage, making it inaccessible to everyone else.

The vulnerability of cloud-based software for creating and using Nextcloud data storage solutions is related to improper access control. Exploiting this vulnerability could allow a malicious actor to delete any personal or global external storage, making it inaccessible to everyone else...

ROS-20230913-02

Nextcloud server vulnerability is related to improper access control. Exploitation of the vulnerability could allow an attacker acting remotely to access files within a subfolder of an accessible group folder, even if extended permissions block access to the subfolder. of a group folder, even if...

Nextcloud: Bypass password confirmation via Context-dependent access control (CDCA)

A vulnerability was found in Nextcloud server that allowed bypassing password confirmation for deleting workflows. By directly sending a DELETE request to the workflow delete endpoint, an attacker could delete workflows without providing the expected password confirmation. This broken...

Nextcloud: DNS pin middleware can be tricked into DNS rebinding allowing SSRF

A vulnerability was disclosed where the DNS pin middleware could be tricked into DNS rebinding, allowing SSRF...

Nextcloud: Enabling Birthday Contact to any user

The "Birthday Contacts" feature could be enabled for any user, including administrators and super administrators, from a low privileged account within the Nextcloud application by navigating to the calendar settings and intercepting a specific request...

Nextcloud: Memcached used as RateLimiter backend is no-op

A vulnerability was discovered where the Memcached cache was used as the backend for rate limiting. This resulted in cache entries being wiped and rate limit attempts and bruteforce protection being bypassed...

Nextcloud: Error when editing a calendar appointment returns stacktrace and query

A vulnerability was found where editing a calendar appointment and changing the ID to a non-existent value returned an error exposing internal server paths and an SQL query. The issue allowed disclosure of sensitive information...

Nextcloud: Admins can change authentication details of user configured external storage

A vulnerability was found where admins could change authentication details of user configured external storage. This allowed malicious admins to modify global credentials for other admin and user external storage...

Nextcloud Notes Cross-Site Scripting Vulnerability

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A cross-site scripting vulnerability exists in Nextcloud Notes version 4.4.0 up to and including 4.8.0, which stems from the fact that when a notes file is...

SUSE CVE-2023-39953

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...

SUSE CVE-2023-39958

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients...

SUSE CVE-2023-39954

useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. useroidc...

SUSE CVE-2023-39961

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and...

SUSE CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external...

SUSE CVE-2023-39963

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully steali...

CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external...

CVE-2023-39963

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully steali...

CVE-2023-39961

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and...

CVE-2023-39959

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for...

CVE-2023-39958

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients...