CVE-2023-33184 Blind SSRF in the Nextcloud Mail app on avatar endpoint

Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3...

Nextcloud 代码问题漏洞

Nextcloud is a suite of open source, self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud Mail that originates from an SSRF attack that could allow GET requests to be sent to services running in the...

PT-2023-24201 · Nextcloud +1 · Nextcloud Mail +1

Name of the Vulnerable Software and Affected Versions: Nextcloud Mail versions prior to 1.15.3 Nextcloud Mail versions prior to 2.2.5 Nextcloud Mail versions prior to 3.02 Description: A blind SSRF attack in Nextcloud Mail allowed sending GET requests to services running in the same web server...

CVE-2023-32319

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issu...

Design/Logic Flaw

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issu...

CVE-2023-32319 Basic auth header on WebDAV requests is not brute-force protected in Nextcloud

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issu...

CVE-2023-32319 Basic auth header on WebDAV requests is not brute-force protected in Nextcloud

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issu...

CVE-2023-32319

Nextcloud Server vulnerability CVE-2023-32319: Missing brute-force protection on WebDAV endpoints via basic auth allows credential brute-forcing when usernames are not emails (affects 24.0.0+; fixed in 24.0.11, 25.0.5, 26.0.0). Users should upgrade to these releases; no workarounds are documented.

CVE-2023-32319 Basic auth header on WebDAV requests is not brute-force protected in Nextcloud

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issu...

CVE-2023-31128

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...

Command injection

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...

CVE-2023-31128

Summary: CVE-2023-31128 concerns NextCloud Cookbook’s pull-checks.yml workflow, where an untrusted github.head_ref value can be attacker-controlled, enabling command injection via a crafted value (e.g., zzz";echo${IFS}"hello";#). The issue, stemming from a lack of input validation in the workflow...

CVE-2023-31128 NextCloud Cookbook's pull-checks.yml workflow is vulnerable to OS Command Injection

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...

CVE-2023-31128 NextCloud Cookbook's pull-checks.yml workflow is vulnerable to OS Command Injection

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...

CVE-2023-31128 NextCloud Cookbook's pull-checks.yml workflow is vulnerable to OS Command Injection

NextCloud Cookbook is a recipe library app. Prior to commit a46d9855 on the master branch and commit 489bb744 on the main-0.9.x branch, the pull-checks.yml workflow is vulnerable to command injection attacks because of using an untrusted github.headref field. The github.headref value is an...

CVE-2023-32318

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous...

Design/Logic Flaw

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous...

CVE-2023-32318

Technical details for CVE-2023-32318 are not publicly available in the provided Connected documents. Please monitor for official disclosures or updated entries.

CVE-2023-32318 User session not correctly destroyed on logout

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous...

CVE-2023-32318 User session not correctly destroyed on logout

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous...