Filtered by vendor Nextcloud
Subscribe
Total
227 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-26041 | 1 Nextcloud | 1 Nextcloud Talk | 2023-03-08 | N/A | 4.3 MEDIUM |
Nextcloud Talk is a fully on-premises audio/video and chat communication service. When cron jobs were misconfigured and therefore messages are not expired, the API would still return them while they were then hidden by the frontend code. It is recommended that the Nextcloud Talk is upgraded to 15.0.3. There are no workaround available. | |||||
CVE-2023-25816 | 1 Nextcloud | 1 Nextcloud Server | 2023-03-07 | N/A | 6.5 MEDIUM |
Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available. | |||||
CVE-2023-25821 | 1 Nextcloud | 1 Nextcloud Server | 2023-03-06 | N/A | 7.5 HIGH |
Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available. | |||||
CVE-2022-39334 | 1 Nextcloud | 1 Desktop | 2023-03-06 | N/A | 4.7 MEDIUM |
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. | |||||
CVE-2018-3764 | 1 Nextcloud | 1 Contacts | 2023-03-03 | 3.5 LOW | 4.8 MEDIUM |
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. | |||||
CVE-2019-5476 | 1 Nextcloud | 1 Lookup-server | 2023-03-03 | 7.5 HIGH | 9.8 CRITICAL |
An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to be able to execute arbitrary SQL commands. | |||||
CVE-2023-25579 | 1 Nextcloud | 1 Nextcloud Server | 2023-03-03 | N/A | 7.5 HIGH |
Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users with crafted paths. This issue has been addressed in versions 25.0.2, 24.0.8, and 23.0.12. Users are advised to upgrade. There are no known workarounds for this issue. | |||||
CVE-2018-3776 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log. | |||||
CVE-2018-3763 | 1 Nextcloud | 1 Calendar | 2023-02-28 | 3.5 LOW | 4.8 MEDIUM |
In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins. | |||||
CVE-2018-3762 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. | |||||
CVE-2018-3761 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-28 | 5.8 MEDIUM | 8.1 HIGH |
Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised. | |||||
CVE-2018-3775 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-27 | 4.0 MEDIUM | 8.8 HIGH |
Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication. | |||||
CVE-2023-25159 | 1 Nextcloud | 2 Nextcloud Server, Richdocuments | 2023-02-24 | N/A | 5.3 MEDIUM |
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocuments) App 6.x prior to 6.3.1 and 7.x prior to 7.0.1 have previews accessible without a watermark. The download should be hidden and the watermark should get applied. This issue is fixed in Nextcloud Server 25.0.1 and 24.0.8, Nextcloud Enterprise Server 25.0.1 and 24.0.8, and Nextcloud Office (Richdocuments) App 7.0.1 (for 25) and 6.3.1 (for 24). No known workarounds are available. | |||||
CVE-2023-25162 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-23 | N/A | 5.3 MEDIUM |
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available. | |||||
CVE-2023-25161 | 1 Nextcloud | 1 Nextcloud Server | 2023-02-23 | N/A | 5.3 MEDIUM |
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available. | |||||
CVE-2023-25160 | 1 Nextcloud | 1 Mail | 2023-02-22 | N/A | 5.3 MEDIUM |
Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25, Mail 1.14.5 for Nextcloud 22-24, Mail 1.12.9 for Nextcloud 21, or Mail 1.11.8 for Nextcloud 20 to receive a patch. No known workarounds are available. | |||||
CVE-2023-25150 | 1 Nextcloud | 1 Richdocuments | 2023-02-16 | N/A | 5.7 MEDIUM |
Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue. | |||||
CVE-2023-23943 | 1 Nextcloud | 1 Mail | 2023-02-15 | N/A | 4.3 MEDIUM |
Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the Nextcloud Maill app is upgraded to 1.15.0 or 2.2.2. The only known workaround for this issue is to completely disable the nextcloud mail app. | |||||
CVE-2023-23942 | 1 Nextcloud | 1 Desktop | 2023-02-14 | N/A | 6.1 MEDIUM |
The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. | |||||
CVE-2023-23944 | 1 Nextcloud | 1 Mail | 2023-02-14 | N/A | 6.5 MEDIUM |
Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue. |