CVE-2021-32678

Nextcloud Server vulnerability CVE-2021-32678 concerns missing rate limiting on OCS API responses for controllers using BruteForceProtection (OCSController). Affected versions before the patches allow bypassing authentication rate limits or spamming users, with risk depending on installed apps. T...

CVE-2023-25162

Nextcloud Server versions prior to 24.0.8 and 23.0.12 (and Nextcloud Enterprise Server prior to 24.0.8 and 23.0.12) are affected by an SSRF vulnerability that can bypass IP filtering using specialized payloads to read metadata when hosted on AWS. The issue is fixed in Nextcloud Server 24.0.8, 23....

CVE-2021-32726

Summary (CVE-2021-32726) Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3 did not delete webauthn tokens after a user was deleted, allowing a previously used username to gain access to that account. The issue has been fixed in 19.0.13, 20.0.11, and 21.0.3. There are no known workar...

CVE-2019-15624

CVE-2019-15624: Nextcloud Server 15.0.7 is affected by improper input validation that allows group admins to create users with IDs of system folders. The issue is confirmed in CVE-2019-15624 and is addressed in security advisories accompanying Nextcloud updates to 15.0.14 (NC-SA-2020-015/openSUSE...

CVE-2019-15623

CVE-2019-15623 affects Nextcloud Server (notably up to 16.0.1 in the description). The issue is an information disclosure where, when the Lookup Server is disabled, the server leaks its domain and user IDs to the Nextcloud Lookup Server. This is classified as a privacy exposure with partial confi...

CVE-2021-32734

CVE-2021-32734 affects Nextcloud Server where the Nextcloud Text application, prior to versions 19.0.13, 20.0.11, and 21.0.3, returned verbatim exception messages to users, potentially disclosing full paths of shared files. The issue was fixed in 19.0.13, 20.0.11, and 21.0.3. A workaround is to d...

CVE-2021-32679

CVE-2021-32679 : In Nextcloud Server, filenames were not escaped by default in controllers using DownloadResponse prior to versions 19.0.13, 20.0.11, and 21.0.3. A user-supplied filename passed unsanitized could cause a downloaded file to have a benign extension while the content is executable, p...

CVE-2020-8293

CVE-2020-8293 : A missing input validation in Nextcloud Server allowed users to store unlimited data in workflow rules, causing load and potential DDoS on subsequent interactions. Affected versions were 18.0.x, 19.0.x, and 20.0.x prior to fixes. Connectedupdates show Nextcloud releases addressing...

CVE-2021-32741

CVE-2021-32741 : Nextcloud Server versions before 19.0.13, 20.0.11, and 21.0.3 lacked ratelimiting on the public share link mount endpoint, enabling enumeration of potentially valid share tokens. The issue is fixed in the corresponding updated releases (19.0.13, 20.0.11, 21.0.3). No public workar...

CVE-2019-15621

Nextcloud Server 16.0.1 is affected by CVE-2019-15621: an improper permissions preservation enables sharees to reshare with write permissions when sharing the mount point of a received share via a public link. Root cause is a permissions preservation flaw in the sharing flow; exploitation details...

CVE-2021-32705

CVE-2021-32705 affects Nextcloud Server: prior to versions 19.0.13, 20.0.11, and 21.0.3 there was no ratelimit on the public DAV endpoint, which could allow an attacker to enumerate potentially valid share tokens or credentials. The issue is fixed in 19.0.13, 20.0.11, and 21.0.3. Impact described...

CVE-2021-32733

CVE-2021-32733 relates to Nextcloud Text (Nextcloud Server) where a cross-site scripting vulnerability exists in Nextcloud Text prior to 21.0.3, caused by serving files with a text/html Content-Type. The issue is mitigated by Content-Security-Policy in modern browsers but was fixed in Nextcloud T...

CVE-2021-32680

CVE-2021-32680 concerns Nextcloud Server: audit logging failed to log the unsetting of a share expiration date in versions prior to 19.0.13, 20.0.11, and 21.0.3. The issue is addressed in those patched versions (19.0.13, 20.0.11, 21.0.3). The provided documents describe the vulnerability as an au...

CVE-2021-32688

Nextcloud Server tokens with application-scoped permissions could escalate their own privileges due to a missing permission check. In versions prior to 19.0.13, 20.0.11, and 21.0.3, these tokens could self-elevate and gain filesystem access. The issue is addressed in the patched releases 19.0.13,...

CVE-2019-15613

CVE-2019-15613 affects Nextcloud Server 17.0.1, where a bug causes workflow rules to depend on the file extension when checking MIME types. This can impact all three security properties (confidentiality, integrity, availability) per CVSS metrics (NVD: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H; base sco...

CVE-2020-8155

CVE-2020-8155 is addressed in Nextcloud security updates across multiple distributions. OpenSUSE and Fedora advisories show Nextcloud updates (e.g., openSUSE-2020-670, openSUSE-2020-0670-1, FEDORA_2020-C9863904DE/NASLs) that fix CVE-2020-8155. The openSUSE entries describe CVE-2020-8155 as a dire...

CVE-2020-8295

CVE-2020-8295 is a Denial of Service vulnerability in Nextcloud Server (affecting Nextcloud Server 19 and earlier) caused by a wrong check when resetting a user password. Connected advisories confirm the issue is addressed by upgrading Nextcloud to newer releases (notably 19.0.13, 20.0.11, or 21....

CVE-2021-32703

Nextcloud Server CVE-2021-32703: The vulnerability is due to a lack of ratelimiting on the shareinfo endpoint, which could allow an attacker to enumerate potentially valid share tokens. Affected versions prior to 19.0.13, 20.0.11, and 21.0.3 are fixed in those respective versions. Remediation is ...

CVE-2021-32725

CVE-2021-32725 concerns Nextcloud Server: in versions prior to 19.0.13, 20.0.11, and 21.0.3, default share permissions were not respected for federated reshares of files and folders. This could lead to unintended access control behavior across federated shares. The issue has been fixed in the res...

CVE-2021-32801

CVE-2021-32801 affects Nextcloud Server and concerns logging of potentially sensitive information in log files due to exception logging. The public records in OpenSUSE/GLSA summaries tie this CVE to Nextcloud Server components and indicate fixes were deployed in updated releases (Nextcloud 20.0.1...

CVE-2020-8118

CVE-2020-8118 describes an authenticated server-side request forgery (SSRF) in Nextcloud Server 16.0.1 . The vulnerability exists in the calendar application’s “add new subscription” workflow and permits an attacker to detect local and remote services. The connected documents consistently identif...

CVE-2020-8154

CVE-2020-8154 is an Insecure Direct Object Reference in Nextcloud Server (noted against 18.0.x) that allowed an attacker to remotely wipe other users’ devices via a crafted request to the affected endpoint. Publicly referenced advisories (openSUSE/OpenSUSE-SU-2020:0670-1 and openSUSE-670) associa...

CVE-2020-8294

CVE-2020-8294 in Nextcloud Server is a missing link validation vulnerability that allowed stored XSS via a javascript: URL in markdown. Affected versions are Nextcloud Server before 20.0.2, 19.0.5, and 18.0.11. The issue is fixed in OpenSUSE/OpenSUSE-SU updates (e.g., Nextcloud 20.0.7 and later)....

CVE-2020-8119

CVE-2020-8119 affects Nextcloud Server 17.0.0 and is described as improper authorization that leaks previews and files when a file-drop share link is opened via the gallery app. The connected updates show this vulnerability being addressed in Nextcloud-related security updates (e.g., openSUSE/SUS...

CVE-2020-8183

CVE-2020-8183 is a logic error in Nextcloud Server 19.0.0 where the share password was stored in plaintext during the initial create API call. Public records confirm this affects Nextcloud Server 19.0.0 and was addressed in later updates (e.g., Fedora advisories note fixes for CVE-2020-8183 in Ne...

CVE-2020-8138

CVE-2020-8138: Nextcloud Server is vulnerable to a Server-Side Request Forgery (SSRF) when subscribing to a malicious calendar URL due to a missing check for IPv4 nested inside IPv6. Affected versions are Nextcloud Server < 17.0.1, < 16.0.7, and

CVE-2021-32802

CVE-2021-32802 affects Nextcloud Server where image-preview rendering calls a third-party library not suited for untrusted content, enabling issues such as SSRF, file disclosure, or potential code execution. Public details confirm Nextcloud versions 20.0.12, 21.0.4 and 22.1.0 no longer use the vu...

CVE-2021-32800

CVE-2021-32800 affects Nextcloud Server where an attacker can bypass Two Factor Authentication, gaining access with only a password or access to a WebAuthn device. The vulnerability impacts Nextcloud Server in affected releases and is mitigated by upgrading to versions 20.0.12, 21.0.4, or 22.1.0 ...

CVE-2021-41239

CVE-2021-41239 affects Nextcloud Server. The issue arises when the User Status API does not respect the administrator’s user enumeration settings, allowing a user to enumerate other users on the instance even if listings are disabled. The vulnerability is described in multiple connected sources a...

CVE-2021-32766

CVE-2021-32766 affects Nextcloud Text (bundled with Nextcloud Server). The issue: in affected versions, error messages differ based on whether a folder exists in a public File Drop share, allowing an attacker with a valid File Drop link to enumerate folders/files. Impact is information disclosure...

CVE-2021-41241

CVE-2021-41241 is documented in multiple sources as a permission check flaw in the Nextcloud groupfolders feature. The issue allows a user to access subfolders within a groupfolder despite advanced permissions, by copying the groupfolder to another location. Affected guidance specifies upgrading ...

CVE-2021-41233

CVE-2021-41233 concerns Nextcloud Server where the default Nextcloud Text app contains an issue allowing an attacker to access the folder names in the “File Drop” area. Exploitation requires knowledge of a sharing link. Affected context and guidance across connected sources indicate upgrading Nex...

CVE-2022-31118

This CVE affects Nextcloud Server federated sharing. Affected: Nextcloud Server versions vulnerable to brute-forcing to detect federated sharing and potentially brute-force access tokens for federated shares. Root cause: insufficient brute-force protection for federated sharing, enabling exploita...

CVE-2021-32656

CVE-2021-32656 affects Nextcloud Server’s federated share feature. Prior to versions 19.0.11, 20.0.10, and 21.0.2, an attacker could access basic information about users by exploiting a public federated link added by a legitimate server user. This occurs because Nextcloud can share registered use...

CVE-2024-22403

CVE-2024-22403 affects Nextcloud Server prior to 28.0.0, where OAuth2 authorization codes did not expire. An attacker who intercepts an authorization code could authenticate at any time using that code. The issue is resolved by upgrading to Nextcloud Server 28.0.0, where OAuth codes are invalidat...

CVE-2021-32654

CVE-2021-32654 affects Nextcloud Server prior to versions 19.0.11, 20.0.10, and 21.0.2, allowing an attacker to obtain write/read privileges on any Federated File Share (including public links). Public links can be added as federated shares, enabling exploitation on those links. Upgrading to patc...

CVE-2022-24889

CVE-2022-24889 affects Nextcloud Server (file server component). The vulnerability lets an attacker trick administrators into enabling the server’s unnecessary “recommended” apps, thereby unnecessarily expanding the attack surface. Public details indicate this is remedied by upgrading to versions...

CVE-2019-15616

CVE-2019-15616 affects Nextcloud Server (notably Nextcloud Server 16) where dangling remote share attempts can cause DNS pollution when the system runs for extended periods. Public sources describe the vulnerability as a DNS pollution condition resulting from improper handling of remote shares. T...

CVE-2021-32657

CVE-2021-32657 affects Nextcloud Server: in versions prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user could break the user administration page, preventing admins from managing users. The issue is fixed in 19.0.11, 20.0.10, and 21.0.2. As a workaround, administrators can use the OCC command...

CVE-2022-24888

Nextcloud Server vulnerability CVE-2022-24888 affects the file server component: prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files or folders whose names include leading or trailing control characters (\n, \r, \t, \v). The issue arises because the server filt...

CVE-2018-3775

CVE-2018-3775 concerns Nextcloud Server prior to version 12.0.3, where an attacker with valid user credentials could bypass two‑factor authentication due to improper authentication. The NVD entry lists CVSSv3.1 impact as high (C/H/I/H/A/H) and CVSSv2 as medium (I/P, no confidentiality/availabilit...

CVE-2021-41177

The CVE-2021-41177 entry affects Nextcloud Server. The issue is that before versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud did not implement a memory-cache backend for rate-limiting, so components using rate limits (e.g., AnonRateThrottle, UserRateThrottle) were not actually rate-limited on inst...

CVE-2022-29243

CVE-2022-29243 affects Nextcloud Server: insufficient input-size validation for new session names allows creation of excessively long app passwords, whose names are loaded into memory on use and can degrade performance. Affected versions are prior to 22.2.7 and 23.0.4; a fix is provided in 22.2.7...

CVE-2019-15617

CVE-2019-15617 affects Nextcloud Server (17.0.0) and arises from a missing check that allowed an attacker to set up a new second factor during login. Public documents reference the vulnerability and status across multiple sources (NVD/OSV/openvas) with remediation guidance generally recommending ...

CVE-2020-8152

CVE-2020-8152 affects Nextcloud Server 19.0.1 where server-side encryption keys are not adequately protected, enabling an attacker to replace the public key and later decrypt data. The vulnerability is described in Nextcloud advisory NC-SA-2020-040 and related disclosures; the issue concerns impr...

CVE-2022-39346

CVE-2022-39346 affects Nextcloud Server. Affected versions did not properly limit user display names, which could allow a malicious user to overload the backing database and trigger a denial of service. OpenSUSE advisory confirms the issue and attributes exploitation to missing length validation ...

CVE-2021-32653

CVE-2021-32653 affects Nextcloud Server. The issue leaks user IDs to the lookup server even when user fields are not published. Patched in Nextcloud versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside updating are known. Connected sources from Gentoo GLSA and GHSA advisories corroborate...

CVE-2022-29163

CVE-2022-29163 affects Nextcloud Server: prior to versions 22.2.6 and 23.0.3, a user could create a link that is not password protected even when admin-required password protection is enforced. A patch exists in 22.2.6 and 23.0.3. No public workarounds are listed. Upgrade to 22.2.6+ or 23.0.3+ to...

CVE-2022-31120

Summary: CVE-2022-31120 affects Nextcloud Server. The issue is that federated share events were not properly logged in the audit log, enabling potential brute-force attempts to go unnoticed and exacerbating the impact of CVE-2022-31118. What’s affected: Nextcloud Server (versions before upgrades ...

CVE-2022-39211

CVE-2022-39211 corresponds to a Server-Side Request Forgery (SSRF) in Nextcloud Server caused by a filter/domain-check bypass that allows locally running web services to be discovered and requested. Affected versions include Nextcloud Server prior to 23.0.8 and 24.0.4, and Nextcloud Enterprise Se...