98 matches found
CVE-2021-32655
The CVE-2021-32655 entry concerns Nextcloud Server: in versions prior to 19.0.11, 20.0.10, and 21.0.2 an attacker could convert a Files Drop link into a federated share. When the sharing user opens the panel and removes the Create privileges from this unexpected share, the system silently grants ...
CVE-2022-39211
CVE-2022-39211 corresponds to a Server-Side Request Forgery (SSRF) in Nextcloud Server caused by a filter/domain-check bypass that allows locally running web services to be discovered and requested. Affected versions include Nextcloud Server prior to 23.0.8 and 24.0.4, and Nextcloud Enterprise Se...
CVE-2021-22915
Concrete details from connected documents indicate CVE-2021-22915 affects Nextcloud server versions up to 19.0.11, 20.0.10, 21.0.2, due to IPv6 subnets not being included in rate-limiting for brute-force protection. The vulnerability allows bypassing rate-limit protections, with impact described ...
CVE-2022-39329
CVE-2022-39329 affects Nextcloud Server (and Enterprise Server) prior to versions 23.0.9 and 24.0.5, where information could be exposed without admin-controlled access and without database access. The issue is resolved by patches in 23.0.9 and 24.0.5, with no public workarounds reported. Affected...
CVE-2020-8121
Nextcloud Server 14.0.4 contains a bug where data could be exposed via reshared link shares beyond what the sharer intended. Evidence from multiple sources shows this could allow access to extended data in reshared links, including expired reshared links that still grant access to the full folder...
CVE-2022-36074
The CVE-2022-36074 entry concerns Nextcloud Server where information disclosure occurs because the server fails to strip the Authorization header during HTTP downgrades. Affected products/versions include Nextcloud Server prior to 23.0.7 and 24.0.3 (enterprise versions 22.2.11, 23.0.7, or 24.0.3)...
CVE-2016-9459
CVE-2016-9459 affects Nextcloud Server < 9.0.52 and ownCloud Server
CVE-2021-22878
CVE-2021-22878 affects Nextcloud Server prior to 20.0.6, where a reflected XSS exists due to insufficient sanitization in OC.Notification.show. The vulnerability is described across multiple sources (e.g., CNVD/CNNVD, OSV, CVE lists) and is mitigated by upgrading Nextcloud to 20.0.6 or later (per...
CVE-2020-8259
Nextcloud Server 19.0.1 is affected by CVE-2020-8259 due to insufficient protection of server-side encryption keys, allowing an attacker to replace the encryption keys. Exploitation details are not provided in the connected docs; the issue is described as a vulnerability in the key protection mec...
CVE-2021-22877
CVE-2021-22877 affects Nextcloud Server prior to 20.0.6, where a missing user check can cause a user’s own credentials to be populated for other users’ external storage configuration when that configuration has not yet been set. This is documented across multiple sources (NVD entry, CNVD/CNNVD su...
CVE-2020-8117
CVE-2020-8117 affects Nextcloud Server 14.0.3, involving improper preservation of permissions that leaks event details when sharing a non-public calendar event. Public references (NVD, CVE listing, SUSE, CNVD, OpenVAS/NC-SA-2020-013) confirm the issue name and description; CVSS metrics from NVD s...
CVE-2022-39330
CVE-2022-39330 affects Nextcloud Server prior to 23.0.10 and 24.0.6, and Nextcloud Enterprise Server prior to 22.2.10, 23.0.10, 24.0.6. Description: a logged-in attacker can cause resource exhaustion (database/cpu load) by abusing sharee recommendations with the Circles feature; patches exist in ...
CVE-2016-9463
This CVE affects Nextcloud Server prior to 9.0.54 and 10.0.1 and ownCloud Server prior to 9.1.2, 9.0.6, and 8.2.9. The issue is an SMB authentication backend that, when enabled, authenticates against an SMB server and incorrectly treats a connection to an SMB server with anonymous authentication ...
CVE-2017-0893
CVE-2017-0893 affects Nextcloud Server prior to 9.0.58, 10.0.5, and 11.0.3. A vulnerable JavaScript library used for sanitizing untrusted input enables a cross-site scripting (XSS) issue due to a Safari 10.1/10.2 behavior change. Nextcloud notes a strict Content-Security-Policy that mitigates exp...
CVE-2020-8122
CVE-2020-8122 affects Nextcloud Server 14.0.3, where a missing authorization check on share expiration updates lets a recipient extend the expiration date of a share they received. The root cause is an inadequate validation of the requester as the owner when modifying a share’s expiration. This v...
CVE-2022-39364
CVE-2022-39364 affects Nextcloud Server and Enterprise Server: reading nextcloud.log can reveal credentials to connect to a SharePoint service. Affected versions include Nextcloud Server prior to 23.0.9 and prior to 24.0.5; Nextcloud Enterprise Server prior to 22.2.10.5, 23.0.9, and 24.0.5. Patch...
CVE-2016-9464
CVE-2016-9464 concerns Nextcloud Server prior to 9.0.54 and 10.0.0, where an improper authorization check on removing shares exists. The Sharing Backend differentiates between user and group shares, but the previous API implementation could unshare a file for all users in a group when a group sha...
CVE-2017-0885
CVE-2017-0885 affects Nextcloud Server prior to 9.0.55 and 10.0.2. An error-message disclosure in write-only shares allows an adversary with access to enumerate existing files and subfolders by comparing exception messages. The issue is documented across multiple sources (Nextcloud advisory NC-SA...
CVE-2018-3761
Nextcloud Server before 12.0.8 and 13.0.3 is affected by an improper authentication flaw at the OAuth2 token endpoint. The root cause is missing checks that could allow issuing new tokens if the OAuth2 client was partly compromised. Public disclosures reference CVE-2018-3761, with vendor advisori...
CVE-2019-15619
CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...
CVE-2019-15618
CVE-2019-15618 affects Nextcloud Server Updater up to at least 15.0.5, where missing HTML escaping in the Updater allows a reflected XSS when started from a malicious location. The vulnerability is a client-side reflection (no server-state compromise described) that can lead to execution of arbit...
CVE-2017-0887
CVE-2017-0887 affects Nextcloud Server before 9.0.55 and before 10.0.2, where an authenticated user can bypass quota limits due to improper sanitization of the OC-Total-Length HTTP header, allowing exceedance of configured quotas. The issue is documented across multiple sources (NVD/CNVD/OSV/Open...
CVE-2017-0892
Affected software: Nextcloud Server (
CVE-2018-16467
CVE-2018-16467 (Nextcloud Server before 14.0.0) is an improper access‑control vulnerability enabling unauthenticated attackers to bypass password protection for previews of single-file shares via the vulnerable publicpreview.php endpoint. The issue can disclose previews (notably image files) with...
CVE-2023-25161
CVE-2023-25161 affects Nextcloud Server (and Enterprise Server) with missing rate limiting on the password reset function prior to versions 25.0.1, 24.0.8, and 23.0.12. The root issue is lack of rate limiting, which can cause service slowdown, storage overflow, or cost impact when external email ...
CVE-2017-0936
CVE-2017-0936 affects Nextcloud Server prior to 11.0.7 and 12.0.5, where an Authorization Bypass Through User-Controlled Key vulnerability exists due to a missing ownership check. This allows logged-in users to change the scope of app passwords for other users. The app passwords themselves are no...
CVE-2016-9467
CVE-2016-9467 involves content spoofing in the files app of Nextcloud Server and ownCloud Server. Affected versions: Nextcloud Server < 9.0.54 and 10.0.1; ownCloud Server
CVE-2017-0894
Nextcloud Server prior to 11.0.3 is affected by CVE-2017-0894 due to a logical error that discloses valid share tokens for public calendars, potentially letting an attacker access publicly shared calendars without the token. Affected product: Nextcloud Server; vulnerable component: calendar share...
CVE-2018-3762
CVE-2018-3762 affects Nextcloud Server prior to 12.0.8 and 13.0.3, where improper checks of dropped permissions for incoming shares let a user request previews for files they should not access. Root cause: inadequate enforcement of access control on image preview requests. Impact stated in source...
CVE-2019-5449
CVE-2019-5449 affects Nextcloud Server prior to 15.0.1. A missing check allows leaking calendar event names when adding or modifying confidential or private events. Multiple connected sources confirm an information disclosure vulnerability in Nextcloud Server before 15.0.1. Impact is information ...
CVE-2022-31014
CVE-2022-31014 affects Nextcloud Server; SMTP command injection via iCalendar attachments through newline handling. Affected versions are Nextcloud Server up to 22.2.7/8, 23.x up to 23.0.5, and 24.x up to 24.0.1 (per sources). The root cause is insufficient sanitization of newline characters in S...
CVE-2017-0884
CVE-2017-0884 affects Nextcloud Server prior to versions 9.0.55 and 10.0.2 . A logical error in the file caching layer allows an authenticated attacker who has at least read-only permissions to create empty folders inside a shared folder, i.e., a creation of folders in read-only folders despite l...
CVE-2020-8236
Nextcloud Server 19.0.1 contains an improper authentication issue where a misconfiguration causes a passwordless WebAuthn PIN to be treated as two-factor authentication, but the PIN is not actually verified. This vulnerability could lead to users believing they have 2FA protection when the system...
CVE-2018-16463
CVE-2018-16463 describes a session-fixation bug in Nextcloud Server, affecting versions prior to 14.0.0, 13.0.3, and 12.0.8, which could allow an attacker to access password-protected shares. Core details provided indicate a vulnerability in Nextcloud Server’s session handling, with the public Ne...
CVE-2018-3780
CVE-2018-3780 detail (normal mode): Nextcloud’s autocomplete search results may expose a stored XSS due to missing sanitization in the autocomplete field. The flaw affects Nextcloud Server releases around 13.x (notably 13.0.5 and related updates) and can be triggered by crafted search results con...
CVE-2020-8150
CVE-2020-8150 relates to Nextcloud Server 19.0.1 and describes a cryptographic downgrade where an attacker can degrade the encryption scheme and break the integrity of encrypted files. Public docs indicate this vulnerability affects Nextcloud Server 19.0.1 and is discussed in the NC-SA-2020-039 a...
CVE-2020-8173
CVE-2020-8173 affects Nextcloud Server 18.0.4, where a too-small set of random characters used for encryption enables decryption in less time than intended. The vulnerability’s root cause is insufficient randomness in the encryption key/IV generation. Remediation per connected advisories is to up...
CVE-2017-0886
CVE-2017-0886 affects Nextcloud Server. The vulnerability stems from an error in the application logic that allows an authenticated adversary to trigger an endless recursion, resulting in a Denial of Service. Impact is described as Denial of Service with potential for persistent unavailability. A...
CVE-2017-0890
Nextcloud Server vulnerability CVE-2017-0890 is a DOM-based XSS in the search dialogue caused by inadequate escaping. Affects Nextcloud Server versions prior to 11.0.3. Exploitation requires a user to input or paste malicious content into the search dialogue. The issue is confirmed through multip...
CVE-2018-16466
CVE-2018-16466 affects Nextcloud Server prior to 14.0.0, 13.0.6, and 12.0.11. The root cause is improper revalidation of permissions, which can cause access restrictions to be bypassed via access tokens. The issue is documented in NC-SA-2018-010 (vendor fix). Affected versions include Nextcloud S...
CVE-2020-8296
Summary of CVE-2020-8296 (Nextcloud Server) : Multiple sources describe Nextcloud Server versions prior to 20.0.0 as storing passwords in a recoverable format even when external storage is not configured. The issue is associated with Nextcloud Server
CVE-2017-0891
Nextcloud Server (before 9.0.58, 10.0.5, and 11.0.3) is vulnerable to an inadequate escaping of error messages that leads to Reflected Cross-Site Scripting in multiple components. The provided documents designate this as CVE-2017-0891 and describe XSS in error handling; exploitation details are n...
CVE-2019-5451
CVE-2019-5451 concerns the Nextcloud Android app prior to version 3.6.1, where bypassing the lock protection allowed access to files by repeatedly opening/closing the app in quick succession. The vulnerability affects the Android client’s ability to enforce device/user authentication for local fi...
CVE-2016-9462
Summary: CVE-2016-9462 affects Nextcloud Server before 9.0.52 and ownCloud Server before 9.0.4. The root cause is inadequate verification of restore privileges during file restoration, allowing a user with read-only access to revert to older versions. Affected components: Nextcloud Server (pre-9....
CVE-2016-9461
CVE-2016-9461 affects Nextcloud Server before 9.0.52 and ownCloud Server before 9.0.4. The vulnerability stems from improper verification of edit permissions on WebDAV COPY actions, where the WebDAV endpoint did not correctly check permissions during COPY. As a result, an authenticated attacker w...
CVE-2016-9468
CVE-2016-9468 affects Nextcloud Server before 9.0.54 and 10.0.1 and ownCloud Server before 9.0.6 and 9.1.2. The vulnerability is a content spoofing issue in the dav app caused by an exception message that included partially user‑controllable input, potentially leading to misrepresentation of info...
CVE-2018-16464
CVE-2018-16464 affects Nextcloud Server prior to 14.0.0. A missing access check could allow continued access to password-protected link shares after the owner changes the password, enabling unauthorized access to shared resources. Remediation: upgrade to Nextcloud Server 14.0.0 or apply vendor ad...
CVE-2018-16465
Nextcloud Server is affected when used with versions prior to 14.0.0. The issue is a missing state that would have enforced a second factor at login if the 2FA provider failed to load, effectively allowing a 2FA bypass under certain conditions. This vulnerability is described in advisories NC-SA-...