4992 matches found
CVE-2023-39954
CVE-2023-39954 affects the Nextcloud user_oidc app (OIDC backend). Versions 1.0.0 through 1.3.2 allow an attacker with read access to a database snapshot to impersonate the Nextcloud server toward linked servers due to unencrypted storage of the client secret. A patch exists in version 1.3.3 . No...
CVE-2023-39954 user_oidc app stores client secret unencrypted in database
useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, an attacker that obtained at least read access to a snapshot of the database can impersonate the Nextcloud server towards linked servers. useroidc...
CVE-2023-39953
useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...
CVE-2023-39952
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced...
Code injection
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced...
Code injection
useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...
CVE-2023-39953
The CVE-2023-39953 entry concerns Nextcloud’s user_oidc app. Affected versions: 1.0.0 through 1.3.2. Root cause: missing verification of the issuer in the OIDC token validation, enabling a potential Man-in-the-Middle attack that could return corrupted or known tokens. Impact: attacker could lever...
CVE-2023-39953 Issuer not verified from obtained token in user_oidc
useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...
CVE-2023-39953 Issuer not verified from obtained token in user_oidc
useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...
CVE-2023-39953 Issuer not verified from obtained token in user_oidc
useroidc provides the OIDC connect user backend for Nextcloud, an open-source cloud platform. Starting in version 1.0.0 and prior to version 1.3.3, missing verification of the issuer would have allowed an attacker to perform a man-in-the-middle attack returning corrupted or known token they also...
CVE-2023-39952 Advanced permissions not respected when copying entire group folders
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced...
CVE-2023-39952 Advanced permissions not respected when copying entire group folders
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced...
CVE-2023-39952
CVE-2023-39952 affects Nextcloud Server: a user could access files inside a subfolder of a groupfolder despite advanced permissions. Affected are Nextcloud Server versions starting at 22.0.0 up to but not including the patches listed for 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0....
CVE-2023-39952 Advanced permissions not respected when copying entire group folders
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced...
Missing password confirmation when creating app passwords
None...
Existance of calendars and addressbooks can be checked by unauthenticated users
None...
Users can delete external storage mount points
None...
Text does not respect "Allow download" permissions
None...
Missing brute force protection on OAuth2 API controller
None...
Path traversal allows tricking the Talk Android app into writing files into it's root directory
None...