189 matches found
CVE-2023-25159
CVE-2023-25159 affects Nextcloud Server and related components. Technical details from PT Security show the issue resides in OCFilesNodeFolder::getFullPath(), where improper validation/normalization can allow crafted paths to escape a user’s space, potentially overwriting other users’ data. Affec...
CVE-2026-45691
Summary: CVE-2026-45691 affects Nextcloud Server prior to 32.0.9 and 33.0.3, where a pre-2FA session cookie created after password auth but before TOTP could be reused as a Bearer token to access DAV endpoints, bypassing mandatory two-factor authentication and granting read/write access. Impact: ...
CVE-2023-45148
Technical details about CVE-2023-45148 are not publicly available in the provided connected documents. Monitor for updates from Nextcloud advisories to obtain concrete affected versions, impact, and remediation information.
CVE-2023-39962
Technical details for CVE-2023-39962 are not publicly available in the provided documents; monitor for updates from Nextcloud advisories.
CVE-2024-52518
CVE-2024-52518 (Nextcloud Server) : A session takeover allows an attacker who gains access to a user or admin session to create, modify, or delete external storages without re-entering a password. Descriptions across multiple sources (NVD, Red Hat, GitHub advisories) confirm the issue affects Nex...
CVE-2024-52523
CVE-2024-52523 affects Nextcloud Server. When a user or administrator defines external storage with fixed credentials, the API returns those credentials and re-inserts them into the frontend, allowing an attacker with an active user session to read them in plain text. The vulnerability enables in...
CVE-2024-37315
CVE-2024-37315 affects Nextcloud Server; with files_versions feature enabled, an attacker with read-only access to a file can restore older document versions. Remediation per sources: upgrade Nextcloud Server to 28.0.3 or later (and 26.0.12, 27.1.7 for broader Enterprise coverage; see associated ...
CVE-2021-32657
CVE-2021-32657 affects Nextcloud Server: in versions prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user could break the user administration page, preventing admins from managing users. The issue is fixed in 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command...
CVE-2022-41969
Summary: CVE-2022-41969 affects Nextcloud Server where there is no password length limit when creating a user as an administrator, enabling a limited DoS on the administrator’s own server. Affects (versions): Nextcloud Server versions prior to 23.0.11, 24.0.7, and 25.0.0. Impact (as stated): Limi...
CVE-2024-37313
CVE-2024-37313 corresponds to multiple Nextcloud vulnerabilities surfaced by PT Security and related alerts, detailing improper authentication and credential exposure scenarios. Technical details across connected sources include: 2FA bypass after valid credentials, read-access to external storage...
CVE-2019-15616
CVE-2019-15616 affects Nextcloud Server (notably Nextcloud Server 16) where dangling remote share attempts can cause DNS pollution when the system runs for extended periods. Public sources describe the vulnerability as a DNS pollution condition resulting from improper handling of remote shares. T...
CVE-2023-25820
CVE-2023-25820 affects Nextcloud Server and Enterprise Server: if an attacker gains access to an already logged-in user session, they can brute-force the password on the confirmation endpoint. Affected ranges and patches per sources include Nextcloud Server 24.0.x < 24.0.10 and 25.0.x < 25....
CVE-2023-28847
CVE-2023-28847 affects Nextcloud Server and Enterprise Server. Description: an attacker could brute-force the password of a share link due to missing brute-force protection. Affected versions include Nextcloud Server 24.0.0–24.0.10, 25.0.0–25.0.4, and Enterprise 23.0.0–23.0.11, plus related 24.0....
CVE-2018-3775
CVE-2018-3775 concerns Nextcloud Server prior to version 12.0.3, where an attacker with valid user credentials could bypass two‑factor authentication due to improper authentication. The NVD entry lists CVSSv3.1 impact as high (C/H/I/H/A/H) and CVSSv2 as medium (I/P, no confidentiality/availabilit...
CVE-2022-24888
Nextcloud Server vulnerability CVE-2022-24888 affects the file server component: prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files or folders whose names include leading or trailing control characters (\n, \r, \t, \v). The issue arises because the server filt...
CVE-2025-47790
Nextcloud Server and Enterprise Server are affected by a session-handling bug that can skip the second-factor authentication after a successful login when remember_login_cookie_lifetime is set to 0 and the session times out. Affected versions: Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3...
CVE-2021-32653
CVE-2021-32653 affects Nextcloud Server. The issue leaks user IDs to the lookup server even when user fields are not published. Patched in Nextcloud versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside updating are known. Connected sources from Gentoo GLSA and GHSA advisories corroborate...
CVE-2023-25818
CVE-2023-25818 affects Nextcloud Server in multiple versions: 24.0.0–24.0.10 and 25.0.0–25.0.4 (and related Enterprise/server variants). The root cause is lack of brute-force protection on authentication-related endpoints (password resets), enabling potential password-guessing attacks. A throttle...
CVE-2024-37882
CVE-2024-37882 affects Nextcloud Server (and Enterprise Server per advisory) where a recipient of a share with read&share permissions could reshared the item with higher permissions. The NVD entry lists higher impact on confidentiality and integrity (C/H, I/H) but no availability impact, with net...
CVE-2021-41177
The CVE-2021-41177 entry affects Nextcloud Server. The issue is that before versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud did not implement a memory-cache backend for rate-limiting, so components using rate limits (e.g., AnonRateThrottle, UserRateThrottle) were not actually rate-limited on inst...
CVE-2023-48304
CVE-2023-48304 affects Nextcloud Server (and Enterprise) where an attacker could enable/disable the birthday calendar for any user on the same server. Patches exist for Nextcloud Server versions 25.0.11, 26.0.6, and 27.1.0, and for Nextcloud Enterprise Server versions 22.2.10.16, 23.0.12.11, 24.0...
CVE-2022-29243
CVE-2022-29243 affects Nextcloud Server: insufficient input-size validation for new session names allows creation of excessively long app passwords, whose names are loaded into memory on use and can degrade performance. Affected versions are prior to 22.2.7 and 23.0.4; a fix is provided in 22.2.7...
CVE-2023-32319
Nextcloud Server vulnerability CVE-2023-32319: Missing brute-force protection on WebDAV endpoints via basic auth allows credential brute-forcing when usernames are not emails (affects 24.0.0+; fixed in 24.0.11, 25.0.5, 26.0.0). Users should upgrade to these releases; no workarounds are documented.
CVE-2022-31120
Summary: CVE-2022-31120 affects Nextcloud Server. The issue is that federated share events were not properly logged in the audit log, enabling potential brute-force attempts to go unnoticed and exacerbating the impact of CVE-2022-31118. What’s affected: Nextcloud Server (versions before upgrades ...
CVE-2022-41970
CVE-2022-41970 affects Nextcloud Server prior to 24.0.7 and 25.0.1, where disabled download shares could still be accessed via preview images. As a result, images could be downloaded and the first page of document previews could be downloaded without watermark, effectively bypassing intended prot...
CVE-2024-37887
Vulnerability summary (CVE-2024-37887) Nextcloud Server: private shared calendar events recurrence exceptions can be read by sharees. Affected for general Nextcloud Server and Enterprise Server versions as per advisory. Impact: potential information disclosure of calendar recurrence exceptions. R...
CVE-2020-8152
CVE-2020-8152 affects Nextcloud Server 19.0.1 where server-side encryption keys are not adequately protected, enabling an attacker to replace the public key and later decrypt data. The vulnerability is described in Nextcloud advisory NC-SA-2020-040 and related disclosures; the issue concerns impr...
CVE-2022-39346
CVE-2022-39346 affects Nextcloud Server. Affected versions did not properly limit user display names, which could allow a malicious user to overload the backing database and trigger a denial of service. OpenSUSE advisory confirms the issue and attributes exploitation to missing length validation ...
CVE-2024-52515
The CVE-2024-52515 entry concerns Nextcloud Server where, after an admin enables the default-disabled SVG preview provider, a malicious user could upload an SVG file that references paths, causing the preview to render another file’s contents. Technical details across connected sources confirm th...
CVE-2019-15617
CVE-2019-15617 affects Nextcloud Server (17.0.0) and arises from a missing check that allowed an attacker to set up a new second factor during login. Public documents reference the vulnerability and status across multiple sources (NVD/OSV/openvas) with remediation guidance generally recommending ...
CVE-2022-29163
CVE-2022-29163 affects Nextcloud Server: prior to versions 22.2.6 and 23.0.3, a user could create a link that is not password protected even when admin-required password protection is enforced. A patch exists in 22.2.6 and 23.0.3. No public workarounds are listed. Upgrade to 22.2.6+ or 23.0.3+ to...
CVE-2023-25579
Summary (CVE-2023-25579) Nextcloud server is affected by a directory traversal in OC\Files\Node\Folder::getFullPath(), where the function validated/normalized strings in the wrong order. This can let an attacker craft paths to escape their own space and overwrite data belonging to other users. Th...
CVE-2023-48301
Technical details about CVE-2023-48301 are not provided in the connected documents. The initial entry describes a link-injection fix in specific Nextcloud Server/Enterprise Server versions, but no explicit affected versions or remediation details are given in the supplied sources. Monitor for upd...
CVE-2021-32655
The CVE-2021-32655 entry concerns Nextcloud Server: in versions prior to 19.0.11, 20.0.10, and 21.0.2 an attacker could convert a Files Drop link into a federated share. When the sharing user opens the panel and removes the Create privileges from this unexpected share, the system silently grants ...
CVE-2022-39211
CVE-2022-39211 corresponds to a Server-Side Request Forgery (SSRF) in Nextcloud Server caused by a filter/domain-check bypass that allows locally running web services to be discovered and requested. Affected versions include Nextcloud Server prior to 23.0.8 and 24.0.4, and Nextcloud Enterprise Se...
CVE-2022-39329
CVE-2022-39329 affects Nextcloud Server (and Enterprise Server) prior to versions 23.0.9 and 24.0.5, where information could be exposed without admin-controlled access and without database access. The issue is resolved by patches in 23.0.9 and 24.0.5, with no public workarounds reported. Affected...
CVE-2023-35927
The CVE-2023-35927 issue affects Nextcloud Server and Enterprise Server where two trusted servers exchange share secrets and an attacker could modify or delete VCards in the origin server’s system address book, impacting user search and avatar menus. The initial description lists affected lines f...
CVE-2023-39960
Technical details for CVE-2023-39960 are not publicly available in the provided documents; monitor for updates.
CVE-2023-48302
Nextcloud CVE-2023-48302 concerns rendering HTML code pasted via Ctrl+Shift+V, which could disclose markup to other users. Affected versions include Nextcloud Server and Enterprise Server up to 25.0.12/25.0.0–25.0.12, 26.0.x up to 26.0.7/26.0.8, and 27.1.x up to 27.1.2/27.1.3. The issue is fixed ...
CVE-2021-22915
Concrete details from connected documents indicate CVE-2021-22915 affects Nextcloud server versions up to 19.0.11, 20.0.10, 21.0.2, due to IPv6 subnets not being included in rate-limiting for brute-force protection. The vulnerability allows bypassing rate-limit protections, with impact described ...
CVE-2023-28835
CVE-2023-28835 affects Nextcloud Server where the generated fallback password for shares used a weak random-number generator. This could allow brute-forcing the share password if no password policy is enabled. Mitigation: upgrade Nextcloud Server to 24.0.10 or 25.0.4 (or later) or enable a passwo...
CVE-2024-52514
Summary of CVE-2024-52514 (Nextcloud Server) : The vulnerability is an access control error where, after a share is blocked by file access controls, a user can copy an intermediate folder and subsequently access blocked files based on user permissions. This affects Nextcloud Server (self-hosted f...
CVE-2020-8121
Nextcloud Server 14.0.4 contains a bug where data could be exposed via reshared link shares beyond what the sharer intended. Evidence from multiple sources shows this could allow access to extended data in reshared links, including expired reshared links that still grant access to the full folder...
CVE-2023-32318
Technical details for CVE-2023-32318 are not publicly available in the provided Connected documents. Please monitor for official disclosures or updated entries.
CVE-2022-36074
The CVE-2022-36074 entry concerns Nextcloud Server where information disclosure occurs because the server fails to strip the Authorization header during HTTP downgrades. Affected products/versions include Nextcloud Server prior to 23.0.7 and 24.0.3 (enterprise versions 22.2.11, 23.0.7, or 24.0.3)...
CVE-2023-39952
CVE-2023-39952 affects Nextcloud Server: a user could access files inside a subfolder of a groupfolder despite advanced permissions. Affected are Nextcloud Server versions starting at 22.0.0 up to but not including the patches listed for 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0....
CVE-2023-39959
CVE-2023-39959 affects Nextcloud Server. Unauthenticated users could send a DAV request to determine whether a calendar or address book with a given identifier exists on victims’ accounts. Affected are Nextcloud Server versions prior to 25.0.9, 26.0.4, and 27.0.1 (and corresponding Enterprise Ser...
CVE-2017-0888
CVE-2017-0888 affects Nextcloud Server versions prior to 9.0.55 and prior to 10.0.2, with a Content-Spoofing vulnerability in the files app. The top navigation bar in the files list contains partially user-controllable input that can misrepresent information. Public sources in the connected recor...
CVE-2024-37884
CVE-2024-37884 concerns Nextcloud Server where a malicious user could send delete requests for old file versions that were shared with read permissions. The initial description specifies upgraded paths: Nextcloud Server should be updated to 26.0.12 or 27.1.7 or 28.0.3, and Nextcloud Enterprise Se...
CVE-2024-52516
CVE-2024-52516 - Nextcloud Server group-based sharing not revoked The connected PT-Security advisory confirms concrete details: Nextcloud Server (and Enterprise Server) versions prior to specific fixed releases are affected. When a user is removed from a group, shares restricted to that group are...