Filtered by vendor Nextcloud
Subscriptions
Filtered by product Nextcloud Server
Subscriptions
Total
154 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-32655 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-26 | 3.5 Low |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist. | ||||
| CVE-2021-32654 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-26 | 9.1 Critical |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing. | ||||
| CVE-2021-32653 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-26 | 2.7 Low |
| Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist. | ||||
| CVE-2022-24889 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-25 | 4.3 Medium |
| Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.8 , 22.2.4, and 23.0.1. | ||||
| CVE-2021-41241 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-25 | 4.3 Medium |
| Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings. | ||||
| CVE-2021-32656 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-25 | 8.6 High |
| Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings. | ||||
| CVE-2021-32726 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-25 | 9.8 Critical |
| Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. | ||||
| CVE-2021-41239 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-24 | 5.3 Medium |
| Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds. | ||||
| CVE-2017-0888 | 1 Nextcloud | 2 Nextcloud, Nextcloud Server | 2022-10-06 | 4.3 Medium |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information. | ||||
| CVE-2017-0886 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-04 | 6.5 Medium |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Service attack. Due to an error in the application logic an authenticated adversary may trigger an endless recursion in the application leading to a potential Denial of Service. | ||||
| CVE-2017-0887 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-04 | 4.3 Medium |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator. | ||||
| CVE-2017-0884 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-04 | 4.3 Medium |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders despite lacking permissions issue. Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder. Note that this only affects folders and files that the adversary has at least read-only permissions for. | ||||
| CVE-2017-0885 | 1 Nextcloud | 1 Nextcloud Server | 2022-10-04 | 4.3 Medium |
| Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages. | ||||
| CVE-2017-0892 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 3.5 Low |
| Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. | ||||
| CVE-2017-0890 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 5.4 Medium |
| Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue. | ||||
| CVE-2017-0894 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 4.3 Medium |
| Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. | ||||
| CVE-2020-8173 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 2.2 Low |
| A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended. | ||||
| CVE-2020-8183 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 7.5 High |
| A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call. | ||||
| CVE-2020-8236 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 6.8 Medium |
| A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it. | ||||
| CVE-2020-8152 | 1 Nextcloud | 1 Nextcloud Server | 2022-09-27 | 4.4 Medium |
| Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. | ||||