CVE-2023-28998 Nextcloud Desktop client misbehaves with E2EE when the server returns empty list of metadata keys

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new...

CVE-2023-28998

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new...

CVE-2023-28998 Nextcloud Desktop client misbehaves with E2EE when the server returns empty list of metadata keys

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new...

CVE-2023-28997 Nextcloud Desktop: Initialization vector reuse in E2EE allows malicious server admin to break, manipulate, access files

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5...

CVE-2023-28997

Summary (CVE-2023-28997) The Nextcloud Desktop Client is affected when running versions 3.0.0 up to before 3.6.5, where an attacker with control of a malicious server could recover and modify the contents of end-to-end encrypted files due to a vulnerability tied to IV reuse in the E2EE scheme. Th...

CVE-2023-28997 Nextcloud Desktop: Initialization vector reuse in E2EE allows malicious server admin to break, manipulate, access files

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5...

CVE-2023-28997

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5...

CVE-2023-28997 Nextcloud Desktop: Initialization vector reuse in E2EE allows malicious server admin to break, manipulate, access files

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5...

CVE-2023-28848 CSRF protection on user_oidc login returned the expected token in case of an error

useroidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second...

CVE-2023-28848 CSRF protection on user_oidc login returned the expected token in case of an error

useroidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second...

CVE-2023-28848 CSRF protection on user_oidc login returned the expected token in case of an error

useroidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second...

CVE-2023-28848

CVE-2023-28848 affects Nextcloud’s user_oidc (OIDC backend). Versions 1.0.0–1.3.0 allow bypassing CSRF state protection by copying the expected state token from the first request to the second. This enables a CSRF-like bypass. Remediation: upgrade user_oidc to 1.3.0. No known workarounds are prov...

Desktop clients misbehaves with end-to-end encryption when the server returns an empty list of metadata keys

None...

Initialization vector reuse in end-to-end encryption allows a malicious server admin to break manipulate and access files

None...

Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders

None...

Desktop client does not verify received singed certificate in end-to-end encryption

None...

SUSE CVE-2023-28645

Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the Nextcloud Office app...

SUSE CVE-2023-28845

Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to gain information about the members of a Talk conversation, even if they...

SUSE CVE-2023-28844

Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to...

PT-2023-22075 · Nextcloud +2 · Nextcloud Android App +4

Name of the Vulnerable Software and Affected Versions: Nextcloud Desktop client versions 3.0.0 through 3.8.0 Nextcloud Android app versions 3.13.0 through 3.25.0 Nextcloud iOS app versions 3.0.5 through 4.8.0 Description: A malicious server administrator can gain full access to an end-to-end...