CasaOS contains weak JWT secrets

Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as root on CasaOS instances...

CVE-2023-28834

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get t...

Design/Logic Flaw

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the...

CVE-2022-41968 Nextcloud Server's calendar name length not validated before writing to database

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for...

CVE-2022-41968 Nextcloud Server's calendar name length not validated before writing to database

Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for...

Design/Logic Flaw

Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to...

Design/Logic Flaw

Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Serve...

CVE-2022-39211 Server-Side Request Forgery (SSRF) via potential filter bypass in Nextcloud Server

Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Serve...

CVE-2022-36074

The CVE-2022-36074 entry concerns Nextcloud Server where information disclosure occurs because the server fails to strip the Authorization header during HTTP downgrades. Affected products/versions include Nextcloud Server prior to 23.0.7 and 24.0.3 (enterprise versions 22.2.11, 23.0.7, or 24.0.3)...

Nextcloud: Multiple Vulnerabilities

Background Nextcloud is a personal cloud that runs on your own server. Description Multiple vulnerabilities have been discovered in Nextcloud. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaround There is no...

CVE-2022-31119

CVE-2022-31119 affects Nextcloud Mail: affected versions log user passwords to disk upon misconfiguration, enabling potential complete account access if log files are compromised. RedHat/Red Hat-affiliated advisories and Nextcloud security notes confirm the issue and recommend upgrading Nextcloud...

CVE-2022-31119 Password disclosure in log file in Nextcloud Mail App

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is...

Lenovo Personal Cloud Storage Trust Management Issue Vulnerability (CNVD-2022-59193)

Lenovo Personal Cloud Storage is a cloud storage platform from Lenovo, a Chinese company. Lenovo Personal Cloud Storage is vulnerable to a trust management issue that stems from a weak default password for the serial port in the device, which could be exploited by an attacker to gain physical...

Lenovo Personal Cloud Storage命令注入漏洞

Lenovo Personal Cloud Storage is a cloud storage platform from Lenovo China.Lenovo Personal Cloud Storage is vulnerable to command injection. An attacker could use the vulnerability to execute operating system commands by sending spoofed packets to the device...

Lenovo Personal Cloud Storage Trust Management Issue Vulnerability

Lenovo Personal Cloud Storage Lenovo Personal Cloud Storage is a personal cloud storage from Lenovo China.Lenovo Personal Cloud Storage is vulnerable to a trust management issue, which stems from a weak default administrator password for the web interface and serial port, which could be exploited...

Lenovo Personal Cloud Storage未知未明漏洞

Lenovo Personal Cloud Storage Lenovo Personal Cloud Storage is a personal cloud storage from Lenovo, a Chinese company. Lenovo Personal Cloud Storage has a security vulnerability that could be exploited to allow an unauthenticated user to create a standard user account...

CVE-2021-42848

An information disclosure vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to retrieve device and networking details...

CVE-2021-42852

A command injection vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an authenticated user to execute operating system commands by sending a crafted packet to the device...

CVE-2021-42851

A vulnerability was reported in some Lenovo Personal Cloud Storage devices that could allow an unauthenticated user to create a standard user account...

CVE-2021-42849

A weak default password for the serial port was reported in some Lenovo Personal Cloud Storage devices that could allow unauthorized device access to an attacker with physical access...