rpm package
suse/nextcloud&distro=SUSE Package Hub 15 SP2
pkg:rpm/suse/nextcloud&distro=SUSE%20Package%20Hub%2015%20SP2
Vulnerabilities (25)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-41179 | — | < 20.0.14-bp153.2.9.1 | 20.0.14-bp153.2.9.1 | Oct 25, 2021 | Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user sess | ||
| CVE-2021-41178 | — | < 20.0.14-bp153.2.9.1 | 20.0.14-bp153.2.9.1 | Oct 25, 2021 | Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged | ||
| CVE-2021-41177 | — | < 20.0.14-bp153.2.9.1 | 20.0.14-bp153.2.9.1 | Oct 25, 2021 | Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThro | ||
| CVE-2021-32802 | — | < 20.0.12-bp152.2.12.1 | 20.0.12-bp152.2.12.1 | Sep 7, 2021 | Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There | ||
| CVE-2021-32801 | — | < 20.0.12-bp152.2.12.1 | 20.0.12-bp152.2.12.1 | Sep 7, 2021 | Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded t | ||
| CVE-2021-32800 | — | < 20.0.12-bp152.2.12.1 | 20.0.12-bp152.2.12.1 | Sep 7, 2021 | Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. I | ||
| CVE-2021-32766 | — | < 20.0.12-bp152.2.12.1 | 20.0.12-bp152.2.12.1 | Sep 7, 2021 | Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case th | ||
| CVE-2021-32741 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue | ||
| CVE-2021-32734 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on share | ||
| CVE-2021-32726 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. | ||
| CVE-2021-32725 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There | ||
| CVE-2021-32705 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issu | ||
| CVE-2021-32703 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in v | ||
| CVE-2021-32688 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user | ||
| CVE-2021-32680 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. Thi | ||
| CVE-2021-32679 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, th | ||
| CVE-2021-32678 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jul 12, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends | ||
| CVE-2020-8294 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Feb 3, 2021 | A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | ||
| CVE-2020-8295 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jan 26, 2021 | A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. | ||
| CVE-2020-8293 | — | < 20.0.11-bp153.2.3.1 | 20.0.11-bp153.2.3.1 | Jan 26, 2021 | A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules. |
- CVE-2021-41179Oct 25, 2021affected < 20.0.14-bp153.2.9.1fixed 20.0.14-bp153.2.9.1
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user sess
- CVE-2021-41178Oct 25, 2021affected < 20.0.14-bp153.2.9.1fixed 20.0.14-bp153.2.9.1
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged
- CVE-2021-41177Oct 25, 2021affected < 20.0.14-bp153.2.9.1fixed 20.0.14-bp153.2.9.1
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThro
- CVE-2021-32802Sep 7, 2021affected < 20.0.12-bp152.2.12.1fixed 20.0.12-bp152.2.12.1
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There
- CVE-2021-32801Sep 7, 2021affected < 20.0.12-bp152.2.12.1fixed 20.0.12-bp152.2.12.1
Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded t
- CVE-2021-32800Sep 7, 2021affected < 20.0.12-bp152.2.12.1fixed 20.0.12-bp152.2.12.1
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. I
- CVE-2021-32766Sep 7, 2021affected < 20.0.12-bp152.2.12.1fixed 20.0.12-bp152.2.12.1
Nextcloud Text is an open source plaintext editing application which ships with the nextcloud server. In affected versions the Nextcloud Text application returned different error messages depending on whether a folder existed in a public link share. This is problematic in case th
- CVE-2021-32741Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue
- CVE-2021-32734Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on share
- CVE-2021-32726Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.
- CVE-2021-32725Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There
- CVE-2021-32705Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issu
- CVE-2021-32703Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in v
- CVE-2021-32688Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user
- CVE-2021-32680Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. Thi
- CVE-2021-32679Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, th
- CVE-2021-32678Jul 12, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends
- CVE-2020-8294Feb 3, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
- CVE-2020-8295Jan 26, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
- CVE-2020-8293Jan 26, 2021affected < 20.0.11-bp153.2.3.1fixed 20.0.11-bp153.2.3.1
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
Page 1 of 2