Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Nextcloud Subscribe
Filtered by product Nextcloud Server
Total 114 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-0884 1 Nextcloud 1 Nextcloud Server 2022-10-04 4.0 MEDIUM 4.3 MEDIUM
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders despite lacking permissions issue. Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder. Note that this only affects folders and files that the adversary has at least read-only permissions for.
CVE-2017-0885 1 Nextcloud 1 Nextcloud Server 2022-10-04 4.0 MEDIUM 4.3 MEDIUM
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.
CVE-2017-0892 1 Nextcloud 1 Nextcloud Server 2022-09-27 4.3 MEDIUM 3.5 LOW
Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file.
CVE-2017-0890 1 Nextcloud 1 Nextcloud Server 2022-09-27 3.5 LOW 5.4 MEDIUM
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.
CVE-2017-0894 1 Nextcloud 1 Nextcloud Server 2022-09-27 4.3 MEDIUM 4.3 MEDIUM
Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
CVE-2020-8173 1 Nextcloud 1 Nextcloud Server 2022-09-27 3.5 LOW 2.2 LOW
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
CVE-2020-8183 1 Nextcloud 1 Nextcloud Server 2022-09-27 5.0 MEDIUM 7.5 HIGH
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
CVE-2020-8236 1 Nextcloud 1 Nextcloud Server 2022-09-27 4.6 MEDIUM 6.8 MEDIUM
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
CVE-2020-8152 1 Nextcloud 1 Nextcloud Server 2022-09-27 2.1 LOW 4.4 MEDIUM
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.
CVE-2020-8259 1 Nextcloud 1 Nextcloud Server 2022-09-27 5.5 MEDIUM 8.1 HIGH
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
CVE-2020-8293 1 Nextcloud 1 Nextcloud Server 2022-09-27 4.0 MEDIUM 6.5 MEDIUM
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
CVE-2021-22877 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2022-09-27 5.5 MEDIUM 6.5 MEDIUM
A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.
CVE-2021-32766 1 Nextcloud 1 Nextcloud Server 2022-09-27 5.0 MEDIUM 5.3 MEDIUM
Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case the public link share has been created with "Upload Only" privileges. (aka "File Drop"). A link share recipient is not expected to see which folders or files exist in a "File Drop" share. Using this vulnerability an attacker is able to enumerate folders in such a share. Exploitation requires that the attacker has access to a valid affected "File Drop" link share. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.0.1. Users who are unable to upgrade are advised to disable the Nextcloud Text application in the app settings.
CVE-2021-41233 1 Nextcloud 1 Nextcloud Server 2022-09-27 4.3 MEDIUM 5.3 MEDIUM
Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings.
CVE-2021-32801 1 Nextcloud 1 Nextcloud Server 2022-09-27 2.1 LOW 5.5 MEDIUM
Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug.
CVE-2021-32800 1 Nextcloud 1 Nextcloud Server 2022-09-27 6.4 MEDIUM 8.1 HIGH
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
CVE-2021-32802 1 Nextcloud 1 Nextcloud Server 2022-09-27 10.0 HIGH 9.8 CRITICAL
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.
CVE-2022-29243 1 Nextcloud 1 Nextcloud Server 2022-09-27 4.0 MEDIUM 4.3 MEDIUM
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.
CVE-2022-39211 1 Nextcloud 2 Nextcloud Enterprise Server, Nextcloud Server 2022-09-21 N/A 5.3 MEDIUM
Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are no known workarounds for this issue.
CVE-2022-36074 1 Nextcloud 2 Nextcloud Enterprise Server, Nextcloud Server 2022-09-19 N/A 7.5 HIGH
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.