Nextcloud
by Nextcloud
Source repositories
CVEs (69)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-25816 | 0.00 | — | 0.01 | Feb 24, 2023 | Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in… | |||
| CVE-2023-25159 | 0.00 | — | 0.00 | Feb 13, 2023 | Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x… | |||
| CVE-2022-39332 | 0.00 | — | 0.01 | Nov 25, 2022 | Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known… | |||
| CVE-2022-39334 | 0.00 | — | 0.00 | Nov 25, 2022 | Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes… | |||
| CVE-2021-41179 | 0.00 | — | 0.01 | Oct 25, 2021 | Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user… | |||
| CVE-2021-22915 | 0.00 | — | 0.02 | Jun 11, 2021 | Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection. | |||
| CVE-2021-29438 | 0.00 | — | 0.01 | Apr 13, 2021 | The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version… | |||
| CVE-2020-8296 | 0.00 | — | 0.01 | Mar 3, 2021 | Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. | |||
| CVE-2021-22878 | 0.00 | — | 0.01 | Mar 3, 2021 | Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. | |||
| CVE-2021-22877 | 0.00 | — | 0.02 | Mar 3, 2021 | A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. | |||
| CVE-2020-8294 | 0.00 | — | 0.01 | Feb 3, 2021 | A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | |||
| CVE-2020-8295 | 0.00 | — | 0.02 | Jan 26, 2021 | A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. | |||
| CVE-2020-8293 | 0.00 | — | 0.02 | Jan 26, 2021 | A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules. | |||
| CVE-2020-8259 | 0.00 | — | 0.01 | Nov 16, 2020 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. | |||
| CVE-2020-8152 | 0.00 | — | 0.00 | Nov 16, 2020 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on. | |||
| CVE-2020-8133 | 0.00 | — | 0.01 | Nov 9, 2020 | A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file. | |||
| CVE-2020-8150 | 0.00 | — | 0.00 | Nov 9, 2020 | A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files. | |||
| CVE-2020-8183 | 0.00 | — | 0.02 | Oct 30, 2020 | A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call. | |||
| CVE-2020-8173 | 0.00 | — | 0.00 | Oct 30, 2020 | A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended. | |||
| CVE-2020-8236 | 0.00 | — | 0.01 | Oct 30, 2020 | A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it. |
- CVE-2023-25816Feb 24, 2023risk 0.00cvss —epss 0.01
Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in…
- CVE-2023-25159Feb 13, 2023risk 0.00cvss —epss 0.00
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x…
- CVE-2022-39332Nov 25, 2022risk 0.00cvss —epss 0.01
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known…
- CVE-2022-39334Nov 25, 2022risk 0.00cvss —epss 0.00
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes…
- CVE-2021-41179Oct 25, 2021risk 0.00cvss —epss 0.01
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user…
- CVE-2021-22915Jun 11, 2021risk 0.00cvss —epss 0.02
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
- CVE-2021-29438Apr 13, 2021risk 0.00cvss —epss 0.01
The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version…
- CVE-2020-8296Mar 3, 2021risk 0.00cvss —epss 0.01
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
- CVE-2021-22878Mar 3, 2021risk 0.00cvss —epss 0.01
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
- CVE-2021-22877Mar 3, 2021risk 0.00cvss —epss 0.02
A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.
- CVE-2020-8294Feb 3, 2021risk 0.00cvss —epss 0.01
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
- CVE-2020-8295Jan 26, 2021risk 0.00cvss —epss 0.02
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
- CVE-2020-8293Jan 26, 2021risk 0.00cvss —epss 0.02
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
- CVE-2020-8259Nov 16, 2020risk 0.00cvss —epss 0.01
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
- CVE-2020-8152Nov 16, 2020risk 0.00cvss —epss 0.00
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.
- CVE-2020-8133Nov 9, 2020risk 0.00cvss —epss 0.01
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
- CVE-2020-8150Nov 9, 2020risk 0.00cvss —epss 0.00
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
- CVE-2020-8183Oct 30, 2020risk 0.00cvss —epss 0.02
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
- CVE-2020-8173Oct 30, 2020risk 0.00cvss —epss 0.00
A too small set of random characters being used for encryption in Nextcloud Server 18.0.4 allowed decryption in shorter time than intended.
- CVE-2020-8236Oct 30, 2020risk 0.00cvss —epss 0.01
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
Page 2 of 4