EUVD-2025-201451

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users emails, names, identifiers without prop...

Bypass group folder quota limit using attachment in text file

None...

CVE-2024-52517

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the...

CVE-2024-52515 Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended...

CVE-2024-52516 Nextcloud Server's shares are not removed when user is limited to share with in their groups and being removed from one of them

Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 o...

Potential hash collision for background jobs could skip queuing them

None...

User password is available in memory of the PHP process

None...

CVE-2024-37882 Nextcloud Server can reshare read&share only folder with more permissions

Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to...

CVE-2024-37314 Nextcloud Photos' shared albums have no restriction on photo removal

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2...

CVE-2024-37314

CVE-2024-37314 concerns Nextcloud Photos enabling removal of photos from a registered user’s album. The entry notes remediation by upgrading Nextcloud Server to 25.0.7 or 26.0.2 and Nextcloud Enterprise Server to 25.0.7 or 26.0.2. Connected documents show multiple related Nextcloud vulnerabilitie...

CVE-2024-37314 Nextcloud Photos' shared albums have no restriction on photo removal

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2...

CVE-2024-37314 Nextcloud Photos' shared albums have no restriction on photo removal

Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2...

CVE-2024-37313

CVE-2024-37313 corresponds to multiple Nextcloud vulnerabilities surfaced by PT Security and related alerts, detailing improper authentication and credential exposure scenarios. Technical details across connected sources include: 2FA bypass after valid credentials, read-access to external storage...

SUSE CVE-2023-49791

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an...

Authentication flaw

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a reverse proxy is configured as truste...

CVE-2023-49792

CVE-2023-49792 affects Nextcloud Server and Enterprise Server. When a trusted proxy is configured, the server may read an attacker’s remote address incorrectly, enabling authentication attempts to be misdirected. Affected versions include Nextcloud Server prior to 26.0.9, 27.1.4 and Nextcloud Ent...

PT-2023-8424 · Nextcloud +2 · Nextcloud Enterprise Server +3

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 26.0.9 and 27.1.4 Nextcloud Enterprise Server versions prior to 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 Description: The issue is related to the lack of restrictions on authentication attempts,...

Bruteforce protection can be bypassed with misconfigured proxy

None...

CVE-2023-48306

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0...

CVE-2023-48306 Nextcloud Server DNS pin middleware can be tricked into DNS rebinding allowing SSRF

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0...