Nextcloud Talk Path Traversal Vulnerability

Nextcloud Talk is a self-hosted local audio/video and chat communication service from Nextcloud Germany. A path traversal vulnerability exists in versions prior to Nextcloud Talk 17.0.0. An attacker exploited the vulnerability to write files outside of their intended cache directory...

Nextcloud Server Multiple Vulnerabilities (GHSA-vv27-g2hq-v48h, GHSA-g97r-8ffm-hfpj, GHSA-qhgm-w4gx-gvgp, GHSA-xwxx-2752-w3xm, GHSA-j4qm-5q5x-54m5)

Nextcloud Server is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:nextcloud:nextcloudserver"...

Nextcloud Server Improper Access Control Vulnerability (GHSA-cq8w-v4fh-4rjq)

Nextcloud Server is prone to an improper access control vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Nextcloud: user_ldap app logs user passwords in the log file on level debug

User passwords were logged in Nextcloud application logs when using LDAP authentication and debug log level settings...

Nextcloud: Password of talk conversations can be bruteforced

The password of talk conversations could be bruteforced by adding the password as a parameter on the GET request of the frontpage instead of sending a POST to the authentication endpoint. This allowed bypassing brute force protection of public talk conversation passwords...

The vulnerability of cloud-based software for creating and using Nextcloud storage solutions stems from improper handling of insufficient privileges. This allows attackers to gain access to the credentials of other users.

The vulnerability of cloud-based software for creating and using Nextcloud storage involves the use of an external storage at the user level, which can be utilized to collect user credentials of other users. Exploiting this vulnerability allows a malicious actor to gain access to another user’s...

MAL-2023-1247 Malicious code in nextcloud-api-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis be6d2af367680b5d332b3472317eeab4a364c78e1617e1d7f3a32f1d797fcdc8 The OpenSSF Package Analysis project identified 'nextcloud-api-sdk' @ 1.1.1 npm as malicious. It is considered malicious because: - The package...

Malicious code in nextcloud-api-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis be6d2af367680b5d332b3472317eeab4a364c78e1617e1d7f3a32f1d797fcdc8 The OpenSSF Package Analysis project identified 'nextcloud-api-sdk' @ 1.1.1 npm as malicious. It is considered malicious because: - The package...

Nextcloud: New AppPassword can be generated without password confirmation

A security vulnerability allowed an attacker to generate a new AppPassword without requiring password confirmation, potentially granting unauthorized access to Nextcloud accounts...

openSUSE 15 Security Update : nextcloud-desktop (openSUSE-SU-2023:0171-1)

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2023:0171-1 advisory. - Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client...

OPENSUSE-SU-2023:0171-1 Security update for nextcloud-desktop

This update for nextcloud-desktop fixes the following issues: Update ot 3.8.0 - Resize WebView widget once the loginpage rendered - Feature/secure file drop - Check German translation for wrong wording - L10n: Correct word - Fix displaying of file details button for local syncfileitem activities ...

Security update for nextcloud-desktop (important)

openSUSE Security Update: Security update for nextcloud-desktop Announcement ID: openSUSE-SU-2023:0171-1 Rating: important References: 1205798 1205799 1205800 1205801 1207976 Cross-References: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333 CVE-2022-39334 CVE-2023-23942 CVSS scores: CVE-2022-39331 N...

The vulnerability of cloud-based software for creating and using Nextcloud storage solutions lies in the improper limitation on excessive authentication attempts, which allows a hacker to compromise the target system.

The vulnerability of cloud-based software for creating and using Nextcloud storage solutions is related to the lack of protection against brute-force attacks during password reset procedures. Exploiting this vulnerability could allow a malicious actor to crack the password reset links remotely...

Nextcloud: Self XSS when sending HTML as a comment in the Deck app

A vulnerability was found in the Deck app comments that allowed HTML injection. This could lead to malicious script execution when a user clicked a specially crafted link. The issue was reported to the Nextcloud security team...

Nextcloud: Inviting excessive long email addresses to a calendar event makes the server unresponsive

An absence of a character limit in the email address field when sending emails allowed for the sending of excessively long email addresses, causing the server to become unresponsive and resulting in a denial of service...

PT-2023-6404 · Nextcloud +1 · Nextcloud Calendar +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Calendar app versions prior to 4.4.4 Description: The issue is related to missing precondition checks in the Nextcloud calendar app, which causes the server to attempt validation of strings of any length as email addresses. This can...

Nextcloud: No Rate Limit On Forgot Password on https://apps.nextcloud.com

The "Forgot Password" feature on the Nextcloud apps website had no rate limit, allowing an attacker to send multiple requests and potentially overwhelm the victim's email inbox...

Nextcloud: Nextcloud All-In-One path disclosure of internal frontend

Vulnerability description not provided...

Nextcloud: Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem

A vulnerability in Nextcloud allowed any user on an instance to delete any external filesystem, regardless of ownership or type. This could be exploited by sending a DELETE request to the appropriate endpoint, resulting in the removal of the external storage from the system. The issue has been...

ROS-20230628-01

The Nextcloud server vulnerability is related to a lack of brute force protection at the password reset endpoint. Exploitation of the vulnerability could allow an attacker acting remotely to compromise the password reset links. password. The Nextcloud server vulnerability is related to the fact...