Nextcloud Enterprise Server
by Nextcloud
Source repositories
CVEs (133)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-22915 | Cri | 0.64 | 9.8 | 0.02 | Jun 11, 2021 | Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection. | ||
| CVE-2021-32802 | Cri | 0.61 | 9.3 | 0.03 | Sep 7, 2021 | Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There… | ||
| CVE-2018-3775 | Hig | 0.57 | 8.8 | 0.01 | Aug 12, 2018 | Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication. | ||
| CVE-2021-32656 | Hig | 0.56 | 8.6 | 0.02 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate… | ||
| CVE-2021-32654 | Hig | 0.53 | 8.1 | 0.02 | Jun 1, 2021 | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be… | ||
| CVE-2020-8259 | Hig | 0.53 | 8.1 | 0.01 | Nov 16, 2020 | Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys. | ||
| CVE-2020-8121 | Hig | 0.53 | 8.1 | 0.01 | Feb 4, 2020 | A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer. | ||
| CVE-2018-16466 | Hig | 0.53 | 8.1 | 0.01 | Oct 30, 2018 | Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens. | ||
| CVE-2018-3761 | Hig | 0.53 | 8.1 | 0.02 | Jul 5, 2018 | Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised. | ||
| CVE-2016-9463 | Hig | 0.53 | 8.1 | 0.04 | Mar 28, 2017 | Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB… | ||
| CVE-2019-15613 | Hig | 0.52 | 8.0 | 0.01 | Feb 4, 2020 | A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes. | ||
| CVE-2020-8154 | Hig | 0.50 | 7.7 | 0.02 | May 12, 2020 | An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. | ||
| CVE-2020-8295 | Hig | 0.49 | 7.5 | 0.02 | Jan 26, 2021 | A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. | ||
| CVE-2020-8183 | Hig | 0.49 | 7.5 | 0.02 | Nov 2, 2020 | A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call. | ||
| CVE-2026-45281 | Hig | 0.46 | 8.1 | 0.00 | Jun 1, 2026 | Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar.… | ||
| CVE-2020-8236 | Med | 0.44 | 6.8 | 0.01 | Nov 2, 2020 | A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it. | ||
| CVE-2020-8293 | Med | 0.42 | 6.5 | 0.02 | Jan 26, 2021 | A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules. | ||
| CVE-2020-8223 | Med | 0.42 | 6.5 | 0.01 | Oct 5, 2020 | A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves. | ||
| CVE-2020-8139 | Med | 0.42 | 6.5 | 0.02 | Mar 20, 2020 | A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. | ||
| CVE-2020-8138 | Med | 0.42 | 6.5 | 0.01 | Mar 20, 2020 | A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL. |
- risk 0.64cvss 9.8epss 0.02
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
- risk 0.61cvss 9.3epss 0.03
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There…
- risk 0.57cvss 8.8epss 0.01
Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.
- risk 0.56cvss 8.6epss 0.02
Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate…
- risk 0.53cvss 8.1epss 0.02
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be…
- risk 0.53cvss 8.1epss 0.01
Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.
- risk 0.53cvss 8.1epss 0.01
A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.
- risk 0.53cvss 8.1epss 0.01
Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens.
- risk 0.53cvss 8.1epss 0.02
Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.
- risk 0.53cvss 8.1epss 0.04
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB…
- risk 0.52cvss 8.0epss 0.01
A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
- risk 0.50cvss 7.7epss 0.02
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
- risk 0.49cvss 7.5epss 0.02
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
- risk 0.49cvss 7.5epss 0.02
A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.
- risk 0.46cvss 8.1epss 0.00
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar.…
- risk 0.44cvss 6.8epss 0.01
A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.
- risk 0.42cvss 6.5epss 0.02
A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.
- risk 0.42cvss 6.5epss 0.01
A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.
- risk 0.42cvss 6.5epss 0.02
A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.
- risk 0.42cvss 6.5epss 0.01
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.
Page 1 of 7