CVE-2023-28833

CVE-2023-28833 affects Nextcloud Server’s theming feature where admins can upload a logo or favicon with unrestricted filenames, enabling overwriting files in the appdata directory. Root cause: lack of filename validation for logo/favicon uploads. Impact: potential data modification via file over...

CVE-2023-28833 Unrestricted filenames for logo or favicon as admin in the theming settings in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these...

CVE-2023-28644 Reference fetch can saturate the server bandwidth for 10 seconds in nextcloud server

Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is...

CVE-2023-28644 Reference fetch can saturate the server bandwidth for 10 seconds in nextcloud server

Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is...

CVE-2023-28644

CVE-2023-28644 affects Nextcloud Server 25.x prior to 25.0.3, where an inefficient fetch operation can degrade performance and lead to a denial of service. The X.Y issue (server-side fetch) is characterized as a resource-management bottleneck that may saturate server resources, with impact limite...

CVE-2023-28644 Reference fetch can saturate the server bandwidth for 10 seconds in nextcloud server

Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is...

CVE-2023-28643 Potential share collision for recipients when caching is enabled in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to name 2. It is recommended that the Nextcloud Server...

CVE-2023-28643 Potential share collision for recipients when caching is enabled in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to name 2. It is recommended that the Nextcloud Server...

CVE-2023-28643 Potential share collision for recipients when caching is enabled in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to name 2. It is recommended that the Nextcloud Server...

CVE-2023-28643

CVE-2023-28643 affects Nextcloud Server. When two shares with the same name are sent to the same recipient while a memory cache is enabled, the second share can overwrite the first instead of being renamed to “{name} (2)”. This is documented across multiple sources in the connected set and is mit...

CVE-2023-26482 Scope of workflow operations is not validated in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs,...

CVE-2023-26482 Scope of workflow operations is not validated in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs,...

CVE-2023-26482

CVE-2023-26482 affects Nextcloud Server (24.x prior to 24.0.10 and 25.x prior to 25.0.4 in several sources). The issue is a missing scope validation for Workflow operations, allowing creation of workflows intended for admins to be usable by non-admin contexts and, in combination with certain apps...

CVE-2023-26482 Scope of workflow operations is not validated in nextcloud server

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs,...

CVE-2023-28646 App lockout in nextcloud Android app can be bypassed via thirdparty apps

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta...

CVE-2023-28646 App lockout in nextcloud Android app can be bypassed via thirdparty apps

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta...

CVE-2023-28646

CVE-2023-28646 affects Nextcloud Android app versions 3.7.0 through 3.24.0 (fixed in 3.24.1). An attacker with physical access to an unlocked device can bypass the Android Pin/passcode protection via a third-party app, enabling access to meta information such as sharers, sharees, and file activit...

CVE-2023-28646 App lockout in nextcloud Android app can be bypassed via thirdparty apps

Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta...

CVE-2023-28647 App pin of the iOS app can be bypassed in Nextcloud iOS

Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain...

CVE-2023-28647

CVE-2023-28647 affects the Nextcloud iOS app (versions prior to 4.7.0). When an attacker has physical access to an unlocked device, they can enable integration with the iOS Files app and bypass the app’s pin/password protection, gaining access to user files. The recommended fix is upgrading the N...