189 matches found
CVE-2021-32678
Nextcloud Server vulnerability CVE-2021-32678 concerns missing rate limiting on OCS API responses for controllers using BruteForceProtection (OCSController). Affected versions before the patches allow bypassing authentication rate limits or spamming users, with risk depending on installed apps. T...
CVE-2023-25162
Nextcloud Server versions prior to 24.0.8 and 23.0.12 (and Nextcloud Enterprise Server prior to 24.0.8 and 23.0.12) are affected by an SSRF vulnerability that can bypass IP filtering using specialized payloads to read metadata when hosted on AWS. The issue is fixed in Nextcloud Server 24.0.8, 23....
CVE-2021-32726
Summary (CVE-2021-32726) Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3 did not delete webauthn tokens after a user was deleted, allowing a previously used username to gain access to that account. The issue has been fixed in 19.0.13, 20.0.11, and 21.0.3. There are no known workar...
CVE-2023-39963
CVE-2023-39963 affects Nextcloud Server: a missing password confirmation after stealing a session can allow an attacker to create app passwords for the victim in listed older branches (versions before patches 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8/9, 24.0.12.5, 25.0.9, 26.0.4, 27.0.1; patch...
CVE-2019-15624
CVE-2019-15624: Nextcloud Server 15.0.7 is affected by improper input validation that allows group admins to create users with IDs of system folders. The issue is confirmed in CVE-2019-15624 and is addressed in security advisories accompanying Nextcloud updates to 15.0.14 (NC-SA-2020-015/openSUSE...
CVE-2019-15623
CVE-2019-15623 affects Nextcloud Server (notably up to 16.0.1 in the description). The issue is an information disclosure where, when the Lookup Server is disabled, the server leaks its domain and user IDs to the Nextcloud Lookup Server. This is classified as a privacy exposure with partial confi...
CVE-2021-32734
CVE-2021-32734 affects Nextcloud Server where the Nextcloud Text application, prior to versions 19.0.13, 20.0.11, and 21.0.3, returned verbatim exception messages to users, potentially disclosing full paths of shared files. The issue was fixed in 19.0.13, 20.0.11, and 21.0.3. A workaround is to d...
CVE-2023-26482
CVE-2023-26482 affects Nextcloud Server (24.x prior to 24.0.10 and 25.x prior to 25.0.4 in several sources). The issue is a missing scope validation for Workflow operations, allowing creation of workflows intended for admins to be usable by non-admin contexts and, in combination with certain apps...
CVE-2021-32679
CVE-2021-32679 : In Nextcloud Server, filenames were not escaped by default in controllers using DownloadResponse prior to versions 19.0.13, 20.0.11, and 21.0.3. A user-supplied filename passed unsanitized could cause a downloaded file to have a benign extension while the content is executable, p...
CVE-2021-32741
CVE-2021-32741 : Nextcloud Server versions before 19.0.13, 20.0.11, and 21.0.3 lacked ratelimiting on the public share link mount endpoint, enabling enumeration of potentially valid share tokens. The issue is fixed in the corresponding updated releases (19.0.13, 20.0.11, 21.0.3). No public workar...
CVE-2019-15621
Nextcloud Server 16.0.1 is affected by CVE-2019-15621: an improper permissions preservation enables sharees to reshare with write permissions when sharing the mount point of a received share via a public link. Root cause is a permissions preservation flaw in the sharing flow; exploitation details...
CVE-2020-8293
CVE-2020-8293 : A missing input validation in Nextcloud Server allowed users to store unlimited data in workflow rules, causing load and potential DDoS on subsequent interactions. Affected versions were 18.0.x, 19.0.x, and 20.0.x prior to fixes. Connectedupdates show Nextcloud releases addressing...
CVE-2021-32733
CVE-2021-32733 relates to Nextcloud Text (Nextcloud Server) where a cross-site scripting vulnerability exists in Nextcloud Text prior to 21.0.3, caused by serving files with a text/html Content-Type. The issue is mitigated by Content-Security-Policy in modern browsers but was fixed in Nextcloud T...
CVE-2021-32680
CVE-2021-32680 concerns Nextcloud Server: audit logging failed to log the unsetting of a share expiration date in versions prior to 19.0.13, 20.0.11, and 21.0.3. The issue is addressed in those patched versions (19.0.13, 20.0.11, 21.0.3). The provided documents describe the vulnerability as an au...
CVE-2021-32688
Nextcloud Server tokens with application-scoped permissions could escalate their own privileges due to a missing permission check. In versions prior to 19.0.13, 20.0.11, and 21.0.3, these tokens could self-elevate and gain filesystem access. The issue is addressed in the patched releases 19.0.13,...
CVE-2021-32705
CVE-2021-32705 affects Nextcloud Server: prior to versions 19.0.13, 20.0.11, and 21.0.3 there was no ratelimit on the public DAV endpoint, which could allow an attacker to enumerate potentially valid share tokens or credentials. The issue is fixed in 19.0.13, 20.0.11, and 21.0.3. Impact described...
CVE-2019-15613
CVE-2019-15613 affects Nextcloud Server 17.0.1, where a bug causes workflow rules to depend on the file extension when checking MIME types. This can impact all three security properties (confidentiality, integrity, availability) per CVSS metrics (NVD: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H; base sco...
CVE-2020-8155
CVE-2020-8155 is addressed in Nextcloud security updates across multiple distributions. OpenSUSE and Fedora advisories show Nextcloud updates (e.g., openSUSE-2020-670, openSUSE-2020-0670-1, FEDORA_2020-C9863904DE/NASLs) that fix CVE-2020-8155. The openSUSE entries describe CVE-2020-8155 as a dire...
CVE-2020-8295
CVE-2020-8295 is a Denial of Service vulnerability in Nextcloud Server (affecting Nextcloud Server 19 and earlier) caused by a wrong check when resetting a user password. Connected advisories confirm the issue is addressed by upgrading Nextcloud to newer releases (notably 19.0.13, 20.0.11, or 21....
CVE-2021-32703
Nextcloud Server CVE-2021-32703: The vulnerability is due to a lack of ratelimiting on the shareinfo endpoint, which could allow an attacker to enumerate potentially valid share tokens. Affected versions prior to 19.0.13, 20.0.11, and 21.0.3 are fixed in those respective versions. Remediation is ...
CVE-2021-32725
CVE-2021-32725 concerns Nextcloud Server: in versions prior to 19.0.13, 20.0.11, and 21.0.3, default share permissions were not respected for federated reshares of files and folders. This could lead to unintended access control behavior across federated shares. The issue has been fixed in the res...
CVE-2021-32801
CVE-2021-32801 affects Nextcloud Server and concerns logging of potentially sensitive information in log files due to exception logging. The public records in OpenSUSE/GLSA summaries tie this CVE to Nextcloud Server components and indicate fixes were deployed in updated releases (Nextcloud 20.0.1...
CVE-2020-8118
CVE-2020-8118 describes an authenticated server-side request forgery (SSRF) in Nextcloud Server 16.0.1 . The vulnerability exists in the calendar application’s “add new subscription” workflow and permits an attacker to detect local and remote services. The connected documents consistently identif...
CVE-2020-8294
CVE-2020-8294 in Nextcloud Server is a missing link validation vulnerability that allowed stored XSS via a javascript: URL in markdown. Affected versions are Nextcloud Server before 20.0.2, 19.0.5, and 18.0.11. The issue is fixed in OpenSUSE/OpenSUSE-SU updates (e.g., Nextcloud 20.0.7 and later)....
CVE-2020-8119
CVE-2020-8119 affects Nextcloud Server 17.0.0 and is described as improper authorization that leaks previews and files when a file-drop share link is opened via the gallery app. The connected updates show this vulnerability being addressed in Nextcloud-related security updates (e.g., openSUSE/SUS...
CVE-2020-8154
CVE-2020-8154 is an Insecure Direct Object Reference in Nextcloud Server (noted against 18.0.x) that allowed an attacker to remotely wipe other users’ devices via a crafted request to the affected endpoint. Publicly referenced advisories (openSUSE/OpenSUSE-SU-2020:0670-1 and openSUSE-670) associa...
CVE-2020-8139
CVE-2020-8139 affects Nextcloud Server versions older than 18.0.1, 17.0.4 and 16.0.9, where a missing access control check allows hide-download shares to be downloaded when the URL is appended with /download. Connected documents confirm this is a remote access control vulnerability with potential...
CVE-2023-48239
Nextcloud Server vulnerable to an issue where a malicious user could update external storage, rendering it inaccessible for others. Affected: Nextcloud Server 25.0.0–25.0.12.x, 26.0.0–26.0.7.x, 27.0.x up to 27.1.2.x; Nextcloud Enterprise Server versions with corresponding prior branches. Patched ...
CVE-2020-8183
CVE-2020-8183 is a logic error in Nextcloud Server 19.0.0 where the share password was stored in plaintext during the initial create API call. Public records confirm this affects Nextcloud Server 19.0.0 and was addressed in later updates (e.g., Fedora advisories note fixes for CVE-2020-8183 in Ne...
CVE-2021-32802
CVE-2021-32802 affects Nextcloud Server where image-preview rendering calls a third-party library not suited for untrusted content, enabling issues such as SSRF, file disclosure, or potential code execution. Public details confirm Nextcloud versions 20.0.12, 21.0.4 and 22.1.0 no longer use the vu...
CVE-2020-8138
CVE-2020-8138: Nextcloud Server is vulnerable to a Server-Side Request Forgery (SSRF) when subscribing to a malicious calendar URL due to a missing check for IPv4 nested inside IPv6. Affected versions are Nextcloud Server < 17.0.1, < 16.0.7, and
CVE-2024-52517
CVE-2024-52517 affects Nextcloud Server (and Enterprise Server) where, after storing global credentials for external storage, the API returns them and injects them into the frontend, enabling plaintext read by someone with an active user session. This information disclosure risk is limited to use...
CVE-2021-32800
CVE-2021-32800 affects Nextcloud Server where an attacker can bypass Two Factor Authentication, gaining access with only a password or access to a WebAuthn device. The vulnerability impacts Nextcloud Server in affected releases and is mitigated by upgrading to versions 20.0.12, 21.0.4, or 22.1.0 ...
CVE-2021-41239
CVE-2021-41239 affects Nextcloud Server. The issue arises when the User Status API does not respect the administrator’s user enumeration settings, allowing a user to enumerate other users on the instance even if listings are disabled. The vulnerability is described in multiple connected sources a...
CVE-2021-32766
CVE-2021-32766 affects Nextcloud Text (bundled with Nextcloud Server). The issue: in affected versions, error messages differ based on whether a folder exists in a public File Drop share, allowing an attacker with a valid File Drop link to enumerate folders/files. Impact is information disclosure...
CVE-2021-41241
CVE-2021-41241 is documented in multiple sources as a permission check flaw in the Nextcloud groupfolders feature. The issue allows a user to access subfolders within a groupfolder despite advanced permissions, by copying the groupfolder to another location. Affected guidance specifies upgrading ...
CVE-2023-35172
Technical details about CVE-2023-35172 are not publicly provided in the supplied documents. Monitor for updates from vendors and security advisories.
CVE-2021-41233
CVE-2021-41233 concerns Nextcloud Server where the default Nextcloud Text app contains an issue allowing an attacker to access the folder names in the “File Drop” area. Exploitation requires knowledge of a sharing link. Affected context and guidance across connected sources indicate upgrading Nex...
CVE-2023-25817
CVE-2023-25817 pertains to Nextcloud Server where versions 24.0.0 through 24.0.8 allow a user to escalate permissions and delete files they should only view or download. Root cause details are not explicitly provided in the initial document beyond the vulnerability description, but the fix is cle...
CVE-2022-24741
CVE-2022-24741 affects Nextcloud Server and describes a denial-of-service vulnerability caused by uploading specially crafted files that trigger excessive memory/CPU usage during processing (notably previews). Public references specify affected Nextcloud Server variants and recommend upgrading to...
CVE-2023-48306
CVE-2023-48306 affects Nextcloud Server and Nextcloud Enterprise Server due to a DNS pin middleware vulnerability that enables DNS rebinding and SSRF. The issue is fixed in Nextcloud Server in versions 25.0.11, 26.0.6, and 27.1.0, and in Nextcloud Enterprise Server in 22.2.10.16, 23.0.12.11, 24.0...
CVE-2024-52513
Nextcloud Server’s Text app contains an attachments folder that is accessible via Files drop or Password protected shares. A malicious user can download attachments referenced in text files without providing the password after receiving such a share link. Affected versions include Nextcloud Serve...
CVE-2022-31118
This CVE affects Nextcloud Server federated sharing. Affected: Nextcloud Server versions vulnerable to brute-forcing to detect federated sharing and potentially brute-force access tokens for federated shares. Root cause: insufficient brute-force protection for federated sharing, enabling exploita...
CVE-2023-49791
CVE-2023-49791 affects Nextcloud Server and Nextcloud Enterprise Server where an attacker with an active session of another user could call the API to delete/modify workflows without password confirmation, bypassing the UI check. The description lists affected ranges: Nextcloud Server pre-26.0.9 ...
CVE-2021-32656
CVE-2021-32656 affects Nextcloud Server’s federated share feature. Prior to versions 19.0.11, 20.0.10, and 21.0.2, an attacker could access basic information about users by exploiting a public federated link added by a legitimate server user. This occurs because Nextcloud can share registered use...
CVE-2023-45151
CVE-2023-45151 affects Nextcloud Server where OAuth2 tokens were stored in plaintext on affected installations. The root cause is storage of OAuth2 tokens in plaintext on the server, enabling an attacker with server access to potentially elevate privileges. Affected versions were addressed by upg...
CVE-2023-49792
CVE-2023-49792 affects Nextcloud Server and Enterprise Server. When a trusted proxy is configured, the server may read an attacker’s remote address incorrectly, enabling authentication attempts to be misdirected. Affected versions include Nextcloud Server prior to 26.0.9, 27.1.4 and Nextcloud Ent...
CVE-2024-22403
CVE-2024-22403 affects Nextcloud Server prior to 28.0.0, where OAuth2 authorization codes did not expire. An attacker who intercepts an authorization code could authenticate at any time using that code. The issue is resolved by upgrading to Nextcloud Server 28.0.0, where OAuth codes are invalidat...
CVE-2021-32654
CVE-2021-32654 affects Nextcloud Server prior to versions 19.0.11, 20.0.10, and 21.0.2, allowing an attacker to obtain write/read privileges on any Federated File Share (including public links). Public links can be added as federated shares, enabling exploitation on those links. Upgrading to patc...
CVE-2023-25159
CVE-2023-25159 affects Nextcloud Server and related components. Technical details from PT Security show the issue resides in OCFilesNodeFolder::getFullPath(), where improper validation/normalization can allow crafted paths to escape a user’s space, potentially overwriting other users’ data. Affec...