Lucene search
K

98 matches found

CVE
CVE
added 2021/06/01 8:55 p.m.81 views

CVE-2021-32655

The CVE-2021-32655 entry concerns Nextcloud Server: in versions prior to 19.0.11, 20.0.10, and 21.0.2 an attacker could convert a Files Drop link into a federated share. When the sharing user opens the panel and removes the Create privileges from this unexpected share, the system silently grants ...

3.5CVSS4AI score0.01034EPSS
CVE
CVE
added 2022/09/16 11:10 p.m.81 views

CVE-2022-39211

CVE-2022-39211 corresponds to a Server-Side Request Forgery (SSRF) in Nextcloud Server caused by a filter/domain-check bypass that allows locally running web services to be discovered and requested. Affected versions include Nextcloud Server prior to 23.0.8 and 24.0.4, and Nextcloud Enterprise Se...

5.3CVSS4.5AI score0.00739EPSS
CVE
CVE
added 2021/06/11 3:49 p.m.80 views

CVE-2021-22915

Concrete details from connected documents indicate CVE-2021-22915 affects Nextcloud server versions up to 19.0.11, 20.0.10, 21.0.2, due to IPv6 subnets not being included in rate-limiting for brute-force protection. The vulnerability allows bypassing rate-limit protections, with impact described ...

9.8CVSS9.2AI score0.01739EPSS
CVE
CVE
added 2022/10/27 12:0 a.m.80 views

CVE-2022-39329

CVE-2022-39329 affects Nextcloud Server (and Enterprise Server) prior to versions 23.0.9 and 24.0.5, where information could be exposed without admin-controlled access and without database access. The issue is resolved by patches in 23.0.9 and 24.0.5, with no public workarounds reported. Affected...

5.3CVSS4.4AI score0.006EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.79 views

CVE-2020-8121

Nextcloud Server 14.0.4 contains a bug where data could be exposed via reshared link shares beyond what the sharer intended. Evidence from multiple sources shows this could allow access to extended data in reshared links, including expired reshared links that still grant access to the full folder...

8.1CVSS7.9AI score0.01036EPSS
CVE
CVE
added 2022/09/15 10:0 p.m.77 views

CVE-2022-36074

The CVE-2022-36074 entry concerns Nextcloud Server where information disclosure occurs because the server fails to strip the Authorization header during HTTP downgrades. Affected products/versions include Nextcloud Server prior to 23.0.7 and 24.0.3 (enterprise versions 22.2.11, 23.0.7, or 24.0.3)...

7.5CVSS6.8AI score0.00606EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.74 views

CVE-2016-9459

CVE-2016-9459 affects Nextcloud Server < 9.0.52 and ownCloud Server

6.1CVSS5.8AI score0.01493EPSS
CVE
CVE
added 2021/03/03 5:39 p.m.74 views

CVE-2021-22878

CVE-2021-22878 affects Nextcloud Server prior to 20.0.6, where a reflected XSS exists due to insufficient sanitization in OC.Notification.show. The vulnerability is described across multiple sources (e.g., CNVD/CNNVD, OSV, CVE lists) and is mitigated by upgrading Nextcloud to 20.0.6 or later (per...

4.8CVSS5.1AI score0.01059EPSS
CVE
CVE
added 2020/11/16 12:36 a.m.73 views

CVE-2020-8259

Nextcloud Server 19.0.1 is affected by CVE-2020-8259 due to insufficient protection of server-side encryption keys, allowing an attacker to replace the encryption keys. Exploitation details are not provided in the connected docs; the issue is described as a vulnerability in the key protection mec...

8.1CVSS7.9AI score0.00727EPSS
CVE
CVE
added 2021/03/03 5:39 p.m.71 views

CVE-2021-22877

CVE-2021-22877 affects Nextcloud Server prior to 20.0.6, where a missing user check can cause a user’s own credentials to be populated for other users’ external storage configuration when that configuration has not yet been set. This is documented across multiple sources (NVD entry, CNVD/CNNVD su...

6.5CVSS6.5AI score0.01686EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.70 views

CVE-2020-8117

CVE-2020-8117 affects Nextcloud Server 14.0.3, involving improper preservation of permissions that leaks event details when sharing a non-public calendar event. Public references (NVD, CVE listing, SUSE, CNVD, OpenVAS/NC-SA-2020-013) confirm the issue name and description; CVSS metrics from NVD s...

4.3CVSS4.5AI score0.00714EPSS
CVE
CVE
added 2022/10/27 12:0 a.m.70 views

CVE-2022-39330

CVE-2022-39330 affects Nextcloud Server prior to 23.0.10 and 24.0.6, and Nextcloud Enterprise Server prior to 22.2.10, 23.0.10, 24.0.6. Description: a logged-in attacker can cause resource exhaustion (database/cpu load) by abusing sharee recommendations with the Circles feature; patches exist in ...

4.8CVSS4.5AI score0.00819EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.69 views

CVE-2016-9463

This CVE affects Nextcloud Server prior to 9.0.54 and 10.0.1 and ownCloud Server prior to 9.1.2, 9.0.6, and 8.2.9. The issue is an SMB authentication backend that, when enabled, authenticates against an SMB server and incorrectly treats a connection to an SMB server with anonymous authentication ...

8.1CVSS8.2AI score0.04095EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.69 views

CVE-2017-0893

CVE-2017-0893 affects Nextcloud Server prior to 9.0.58, 10.0.5, and 11.0.3. A vulnerable JavaScript library used for sanitizing untrusted input enables a cross-site scripting (XSS) issue due to a Safari 10.1/10.2 behavior change. Nextcloud notes a strict Content-Security-Policy that mitigates exp...

5.4CVSS5.2AI score0.00643EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.67 views

CVE-2020-8122

CVE-2020-8122 affects Nextcloud Server 14.0.3, where a missing authorization check on share expiration updates lets a recipient extend the expiration date of a share they received. The root cause is an inadequate validation of the requester as the owner when modifying a share’s expiration. This v...

4.3CVSS4.7AI score0.00684EPSS
CVE
CVE
added 2022/10/27 12:0 a.m.67 views

CVE-2022-39364

CVE-2022-39364 affects Nextcloud Server and Enterprise Server: reading nextcloud.log can reveal credentials to connect to a SharePoint service. Affected versions include Nextcloud Server prior to 23.0.9 and prior to 24.0.5; Nextcloud Enterprise Server prior to 22.2.10.5, 23.0.9, and 24.0.5. Patch...

6.5CVSS5.3AI score0.00464EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.66 views

CVE-2016-9464

CVE-2016-9464 concerns Nextcloud Server prior to 9.0.54 and 10.0.0, where an improper authorization check on removing shares exists. The Sharing Backend differentiates between user and group shares, but the previous API implementation could unshare a file for all users in a group when a group sha...

4.3CVSS4.3AI score0.01624EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.66 views

CVE-2017-0885

CVE-2017-0885 affects Nextcloud Server prior to 9.0.55 and 10.0.2. An error-message disclosure in write-only shares allows an adversary with access to enumerate existing files and subfolders by comparing exception messages. The issue is documented across multiple sources (Nextcloud advisory NC-SA...

4.3CVSS5.1AI score0.00899EPSS
CVE
CVE
added 2018/07/05 4:0 p.m.66 views

CVE-2018-3761

Nextcloud Server before 12.0.8 and 13.0.3 is affected by an improper authentication flaw at the OAuth2 token endpoint. The root cause is missing checks that could allow issuing new tokens if the OAuth2 client was partly compromised. Public disclosures reference CVE-2018-3761, with vendor advisori...

8.1CVSS8AI score0.01657EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.65 views

CVE-2019-15619

CVE-2019-15619 affects Nextcloud Suite components: Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3, and Nextcloud Deck 0.6.5. The root cause is improper neutralization of file names, conversation names and board names, leading to cross-site scripting when linking these items within a project. Docum...

4.8CVSS5AI score0.0084EPSS
CVE
CVE
added 2020/02/04 7:8 p.m.64 views

CVE-2019-15618

CVE-2019-15618 affects Nextcloud Server Updater up to at least 15.0.5, where missing HTML escaping in the Updater allows a reflected XSS when started from a malicious location. The vulnerability is a client-side reflection (no server-state compromise described) that can lead to execution of arbit...

4.8CVSS4.9AI score0.00729EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.63 views

CVE-2017-0887

CVE-2017-0887 affects Nextcloud Server before 9.0.55 and before 10.0.2, where an authenticated user can bypass quota limits due to improper sanitization of the OC-Total-Length HTTP header, allowing exceedance of configured quotas. The issue is documented across multiple sources (NVD/CNVD/OSV/Open...

4.3CVSS4.5AI score0.00888EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.63 views

CVE-2017-0892

Affected software: Nextcloud Server (

4.3CVSS4.2AI score0.00985EPSS
CVE
CVE
added 2018/10/30 9:0 p.m.63 views

CVE-2018-16467

CVE-2018-16467 (Nextcloud Server before 14.0.0) is an improper access‑control vulnerability enabling unauthenticated attackers to bypass password protection for previews of single-file shares via the vulnerable publicpreview.php endpoint. The issue can disclose previews (notably image files) with...

5.3CVSS5.2AI score0.01068EPSS
CVE
CVE
added 2023/02/13 8:22 p.m.63 views

CVE-2023-25161

CVE-2023-25161 affects Nextcloud Server (and Enterprise Server) with missing rate limiting on the password reset function prior to versions 25.0.1, 24.0.8, and 23.0.12. The root issue is lack of rate limiting, which can cause service slowdown, storage overflow, or cost impact when external email ...

5.3CVSS4.8AI score0.00729EPSS
CVE
CVE
added 2018/03/28 8:0 p.m.62 views

CVE-2017-0936

CVE-2017-0936 affects Nextcloud Server prior to 11.0.7 and 12.0.5, where an Authorization Bypass Through User-Controlled Key vulnerability exists due to a missing ownership check. This allows logged-in users to change the scope of app passwords for other users. The app passwords themselves are no...

5.7CVSS5.3AI score0.00778EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.61 views

CVE-2016-9467

CVE-2016-9467 involves content spoofing in the files app of Nextcloud Server and ownCloud Server. Affected versions: Nextcloud Server < 9.0.54 and 10.0.1; ownCloud Server

5.3CVSS5.8AI score0.02972EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.61 views

CVE-2017-0894

Nextcloud Server prior to 11.0.3 is affected by CVE-2017-0894 due to a logical error that discloses valid share tokens for public calendars, potentially letting an attacker access publicly shared calendars without the token. Affected product: Nextcloud Server; vulnerable component: calendar share...

4.3CVSS4.5AI score0.01169EPSS
CVE
CVE
added 2018/07/05 4:0 p.m.61 views

CVE-2018-3762

CVE-2018-3762 affects Nextcloud Server prior to 12.0.8 and 13.0.3, where improper checks of dropped permissions for incoming shares let a user request previews for files they should not access. Root cause: inadequate enforcement of access control on image preview requests. Impact stated in source...

4.3CVSS4.8AI score0.00888EPSS
CVE
CVE
added 2019/07/30 8:36 p.m.61 views

CVE-2019-5449

CVE-2019-5449 affects Nextcloud Server prior to 15.0.1. A missing check allows leaking calendar event names when adding or modifying confidential or private events. Multiple connected sources confirm an information disclosure vulnerability in Nextcloud Server before 15.0.1. Impact is information ...

4.3CVSS4.6AI score0.00854EPSS
CVE
CVE
added 2022/07/05 5:15 p.m.61 views

CVE-2022-31014

CVE-2022-31014 affects Nextcloud Server; SMTP command injection via iCalendar attachments through newline handling. Affected versions are Nextcloud Server up to 22.2.7/8, 23.x up to 23.0.5, and 24.x up to 24.0.1 (per sources). The root cause is insufficient sanitization of newline characters in S...

5.4CVSS4.8AI score0.02421EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.60 views

CVE-2017-0884

CVE-2017-0884 affects Nextcloud Server prior to versions 9.0.55 and 10.0.2 . A logical error in the file caching layer allows an authenticated attacker who has at least read-only permissions to create empty folders inside a shared folder, i.e., a creation of folders in read-only folders despite l...

4.3CVSS5.1AI score0.00666EPSS
CVE
CVE
added 2020/10/30 6:11 p.m.59 views

CVE-2020-8236

Nextcloud Server 19.0.1 contains an improper authentication issue where a misconfiguration causes a passwordless WebAuthn PIN to be treated as two-factor authentication, but the PIN is not actually verified. This vulnerability could lead to users believing they have 2FA protection when the system...

6.8CVSS6.6AI score0.00582EPSS
CVE
CVE
added 2018/10/30 9:0 p.m.58 views

CVE-2018-16463

CVE-2018-16463 describes a session-fixation bug in Nextcloud Server, affecting versions prior to 14.0.0, 13.0.3, and 12.0.8, which could allow an attacker to access password-protected shares. Core details provided indicate a vulnerability in Nextcloud Server’s session handling, with the public Ne...

3.6CVSS3.9AI score0.00545EPSS
CVE
CVE
added 2018/08/13 7:0 p.m.58 views

CVE-2018-3780

CVE-2018-3780 detail (normal mode): Nextcloud’s autocomplete search results may expose a stored XSS due to missing sanitization in the autocomplete field. The flaw affects Nextcloud Server releases around 13.x (notably 13.0.5 and related updates) and can be triggered by crafted search results con...

5.4CVSS4.9AI score0.00769EPSS
CVE
CVE
added 2020/11/09 2:19 p.m.58 views

CVE-2020-8150

CVE-2020-8150 relates to Nextcloud Server 19.0.1 and describes a cryptographic downgrade where an attacker can degrade the encryption scheme and break the integrity of encrypted files. Public docs indicate this vulnerability affects Nextcloud Server 19.0.1 and is discussed in the NC-SA-2020-039 a...

4.1CVSS4.4AI score0.00286EPSS
CVE
CVE
added 2020/10/30 6:12 p.m.58 views

CVE-2020-8173

CVE-2020-8173 affects Nextcloud Server 18.0.4, where a too-small set of random characters used for encryption enables decryption in less time than intended. The vulnerability’s root cause is insufficient randomness in the encryption key/IV generation. Remediation per connected advisories is to up...

3.5CVSS4.5AI score0.00365EPSS
CVE
CVE
added 2017/04/05 8:0 p.m.57 views

CVE-2017-0886

CVE-2017-0886 affects Nextcloud Server. The vulnerability stems from an error in the application logic that allows an authenticated adversary to trigger an endless recursion, resulting in a Denial of Service. Impact is described as Denial of Service with potential for persistent unavailability. A...

6.5CVSS6.2AI score0.0123EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.57 views

CVE-2017-0890

Nextcloud Server vulnerability CVE-2017-0890 is a DOM-based XSS in the search dialogue caused by inadequate escaping. Affects Nextcloud Server versions prior to 11.0.3. Exploitation requires a user to input or paste malicious content into the search dialogue. The issue is confirmed through multip...

5.4CVSS5.2AI score0.00739EPSS
CVE
CVE
added 2018/10/30 9:0 p.m.57 views

CVE-2018-16466

CVE-2018-16466 affects Nextcloud Server prior to 14.0.0, 13.0.6, and 12.0.11. The root cause is improper revalidation of permissions, which can cause access restrictions to be bypassed via access tokens. The issue is documented in NC-SA-2018-010 (vendor fix). Affected versions include Nextcloud S...

8.1CVSS7.9AI score0.00957EPSS
CVE
CVE
added 2021/03/03 5:40 p.m.57 views

CVE-2020-8296

Summary of CVE-2020-8296 (Nextcloud Server) : Multiple sources describe Nextcloud Server versions prior to 20.0.0 as storing passwords in a recoverable format even when external storage is not configured. The issue is associated with Nextcloud Server

6.7CVSS6.5AI score0.00512EPSS
CVE
CVE
added 2017/05/08 8:0 p.m.56 views

CVE-2017-0891

Nextcloud Server (before 9.0.58, 10.0.5, and 11.0.3) is vulnerable to an inadequate escaping of error messages that leads to Reflected Cross-Site Scripting in multiple components. The provided documents designate this as CVE-2017-0891 and describe XSS in error handling; exploitation details are n...

5.4CVSS5.4AI score0.00643EPSS
CVE
CVE
added 2019/07/30 8:33 p.m.56 views

CVE-2019-5451

CVE-2019-5451 concerns the Nextcloud Android app prior to version 3.6.1, where bypassing the lock protection allowed access to files by repeatedly opening/closing the app in quick succession. The vulnerability affects the Android client’s ability to enforce device/user authentication for local fi...

4.6CVSS4.6AI score0.00385EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.54 views

CVE-2016-9462

Summary: CVE-2016-9462 affects Nextcloud Server before 9.0.52 and ownCloud Server before 9.0.4. The root cause is inadequate verification of restore privileges during file restoration, allowing a user with read-only access to revert to older versions. Affected components: Nextcloud Server (pre-9....

4.3CVSS4.8AI score0.01874EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.53 views

CVE-2016-9461

CVE-2016-9461 affects Nextcloud Server before 9.0.52 and ownCloud Server before 9.0.4. The vulnerability stems from improper verification of edit permissions on WebDAV COPY actions, where the WebDAV endpoint did not correctly check permissions during COPY. As a result, an authenticated attacker w...

4.3CVSS4.6AI score0.02EPSS
CVE
CVE
added 2017/03/28 2:46 a.m.52 views

CVE-2016-9468

CVE-2016-9468 affects Nextcloud Server before 9.0.54 and 10.0.1 and ownCloud Server before 9.0.6 and 9.1.2. The vulnerability is a content spoofing issue in the dav app caused by an exception message that included partially user‑controllable input, potentially leading to misrepresentation of info...

5.3CVSS5.4AI score0.02077EPSS
CVE
CVE
added 2018/10/30 9:0 p.m.52 views

CVE-2018-16464

CVE-2018-16464 affects Nextcloud Server prior to 14.0.0. A missing access check could allow continued access to password-protected link shares after the owner changes the password, enabling unauthorized access to shared resources. Remediation: upgrade to Nextcloud Server 14.0.0 or apply vendor ad...

5.7CVSS5.5AI score0.00891EPSS
CVE
CVE
added 2018/10/30 9:0 p.m.51 views

CVE-2018-16465

Nextcloud Server is affected when used with versions prior to 14.0.0. The issue is a missing state that would have enforced a second factor at login if the 2FA provider failed to load, effectively allowing a 2FA bypass under certain conditions. This vulnerability is described in advisories NC-SA-...

5.3CVSS5.1AI score0.00811EPSS
Total number of security vulnerabilities98