CVE-2021-42851

A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account...

CVE-2024-33580

A DLL hijack vulnerability was reported in Lenovo Personal Cloud that could allow a local attacker to execute code with elevated privileges...

CVE-2024-52517

CVE-2024-52517 affects Nextcloud Server (and Enterprise Server) where, after storing global credentials for external storage, the API returns them and injects them into the frontend, enabling plaintext read by someone with an active user session. This information disclosure risk is limited to use...

CVE-2024-52521 Nextcloud Server has a potential hash collision for background jobs could skip queuing them

Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 t...

CVE-2024-33580

A DLL hijack vulnerability was reported in Lenovo Personal Cloud that could allow a local attacker to execute code with elevated privileges...

CVE-2024-33580

A DLL hijack vulnerability was reported in Lenovo Personal Cloud that could allow a local attacker to execute code with elevated privileges...

CVE-2024-33580

CVE-2024-33580 describes a DLL hijack vulnerability in Lenovo Personal Cloud that could let a local attacker execute code with elevated privileges. Affected product: Lenovo Personal Cloud. Affected component: DLL loading path exploitation ( DLL hijack ). Root cause: DLL hijack leading to remote/l...

CVE-2024-33580

A DLL hijack vulnerability was reported in Lenovo Personal Cloud that could allow a local attacker to execute code with elevated privileges...

PT-2024-25349 · Lenovo · Lenovo Personal Cloud

Name of the Vulnerable Software and Affected Versions: Lenovo Personal Cloud affected versions not specified Description: A DLL hijack vulnerability was reported that could allow a local attacker to execute code with elevated privileges. The issue affects multiple versions of Lenovo products...

CVE-2024-37887 Nextcloud Server's events information leaked with shared calendars on recurrence exceptions

Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 o...

CVE-2024-37315

CVE-2024-37315 affects Nextcloud Server; with files_versions feature enabled, an attacker with read-only access to a file can restore older document versions. Remediation per sources: upgrade Nextcloud Server to 28.0.3 or later (and 26.0.12, 27.1.7 for broader Enterprise coverage; see associated ...

CVE-2024-37313

CVE-2024-37313 corresponds to multiple Nextcloud vulnerabilities surfaced by PT Security and related alerts, detailing improper authentication and credential exposure scenarios. Technical details across connected sources include: 2FA bypass after valid credentials, read-access to external storage...

CVE-2023-37469

CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue...

Design/Logic Flaw

CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue...

CVE-2023-37469

CVE-2023-37469 is a CasaOS Command Injection vulnerability that affects versions prior to 0.4.4. An authenticated CasaOS user who can connect to a controlled SMB server can execute arbitrary commands on the system. The CVSS v3.1 base score is 8.8 (HIGH) with network access, low attack complexity,...

CVE-2023-37265

CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as root on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS...

Design/Logic Flaw

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

Design/Logic Flaw

CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as root on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in 391dd7f. This patch is part of CasaOS...

CVE-2023-37266 Weak json web token (JWT) secrets in CasaOS

CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit 705bf1f...

CVE-2023-37266

CasaOS suffers an authentication bypass via crafted JWTs in versions before 0.4.4. Unauthenticated attackers can exploit weak/random JWT handling to access features that require authentication and potentially execute commands as root on affected instances. The underlying issue is tied to inadequa...