4969 matches found
CVE-2021-32733 XSS in Nextcloud Text application
Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a text/html Content-Type when serving files to...
CVE-2021-32727
The CVE concerns the Nextcloud Android Client and an end-to-end encryption oversight. In versions prior to 3.16.1, the client skipped a step that verifies whether a private key belongs to a previously downloaded public certificate. If a malicious public key is served by the Nextcloud instance, da...
CVE-2021-32727 End-to-end encryption device setup did not verify public key
Nextcloud Android Client is the Android client for Nextcloud. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.16.1, the Nextcloud Android client skipped a step that involved the client checking if a private...
CVE-2021-32726
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fix...
CVE-2021-32726
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fix...
CVE-2021-32725
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known...
CVE-2021-32725
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known...
Design/Logic Flaw
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known...
Code injection
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fix...
CVE-2021-32726 Webauthn tokens not removed after user has been deleted
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fix...
CVE-2021-32726
Summary (CVE-2021-32726) Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3 did not delete webauthn tokens after a user was deleted, allowing a previously used username to gain access to that account. The issue has been fixed in 19.0.13, 20.0.11, and 21.0.3. There are no known workar...
CVE-2021-32725
CVE-2021-32725 concerns Nextcloud Server: in versions prior to 19.0.13, 20.0.11, and 21.0.3, default share permissions were not respected for federated reshares of files and folders. This could lead to unintended access control behavior across federated shares. The issue has been fixed in the res...
CVE-2021-32725 Default share permissions not respected for federated reshares
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known...
CVE-2021-32707
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a background-image CSS attribute. Note that the images were still passed...
CVE-2021-32689
Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and...
CVE-2021-32689
Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and...
CVE-2021-32707
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a background-image CSS attribute. Note that the images were still passed...
Default credentials
Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and...
Design/Logic Flaw
Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a background-image CSS attribute. Note that the images were still passed...
CVE-2021-32707
CVE-2021-32707 affects Nextcloud Mail prior to version 1.9.6: the privacy filter did not filter images with a background-image CSS attribute, allowing a remote CSS background image to reveal whether an email was read. Images passed through the Nextcloud image proxy, so IP leakage was not reported...