Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Nextcloud Subscribe
Total 227 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-24890 1 Nextcloud 1 Talk 2022-05-26 3.5 LOW 4.3 MEDIUM
Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.
CVE-2020-8156 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Mail 2022-05-24 6.8 MEDIUM 7.0 HIGH
A missing verification of the TLS host in Nextcloud Mail 1.1.3 allowed a man in the middle attack.
CVE-2020-8153 2 Fedoraproject, Nextcloud 2 Fedora, Group Folders 2022-05-24 5.5 MEDIUM 8.1 HIGH
Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.
CVE-2020-8150 1 Nextcloud 1 Nextcloud Server 2022-05-24 1.9 LOW 4.1 MEDIUM
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
CVE-2022-24887 1 Nextcloud 1 Talk 2022-05-09 5.8 MEDIUM 6.1 MEDIUM
Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.
CVE-2022-24886 1 Nextcloud 1 Nextcloud 2022-05-06 2.1 LOW 3.8 LOW
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
CVE-2022-24885 1 Nextcloud 1 Nextcloud 2022-05-06 2.1 LOW 2.4 LOW
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds.
CVE-2021-39225 1 Nextcloud 1 Deck 2022-04-25 5.5 MEDIUM 8.1 HIGH
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.
CVE-2022-24838 1 Nextcloud 1 Calendar 2022-04-19 7.5 HIGH 9.8 CRITICAL
Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL> ` SMTP command and begin injecting arbitrary SMTP commands. It is recommended that Calendar is upgraded to 3.2.2. There are no workaround available.
CVE-2021-41180 1 Nextcloud 1 Talk 2022-03-15 4.0 MEDIUM 6.1 MEDIUM
Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client. It is recommended that the Nextcloud Talk App is upgraded to 12.1.2. There are no known workarounds.
CVE-2021-41166 1 Nextcloud 1 Nextcloud 2022-02-02 5.0 MEDIUM 5.3 MEDIUM
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds.
CVE-2021-43863 1 Nextcloud 1 Nextcloud 2022-01-31 5.0 MEDIUM 7.5 HIGH
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.
CVE-2019-15624 3 Nextcloud, Opensuse, Suse 3 Nextcloud Server, Backports, Suse Linux Enterprise Server 2022-01-01 4.0 MEDIUM 4.9 MEDIUM
Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.
CVE-2020-8223 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2022-01-01 3.5 LOW 6.5 MEDIUM
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
CVE-2020-8296 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2022-01-01 4.6 MEDIUM 6.7 MEDIUM
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
CVE-2021-22878 2 Fedoraproject, Nextcloud 2 Fedora, Nextcloud Server 2022-01-01 3.5 LOW 4.8 MEDIUM
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
CVE-2020-8118 3 Nextcloud, Novell, Opensuse 3 Nextcloud Server, Suse Linux Enterprise Server, Backports Sle 2021-12-22 4.0 MEDIUM 5.0 MEDIUM
An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.
CVE-2021-22895 2 Debian, Nextcloud 2 Debian Linux, Desktop 2021-12-02 4.3 MEDIUM 5.9 MEDIUM
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
CVE-2021-41256 1 Nextcloud 1 News 2021-12-02 5.8 MEDIUM 7.1 HIGH
nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.
CVE-2021-39222 1 Nextcloud 1 Talk 2021-11-17 4.3 MEDIUM 6.1 MEDIUM
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy.