VYPR

Nextcloud Enterprise Server

by Nextcloud

Source repositories

CVEs (133)

  • CVE-2021-22915CriJun 11, 2021
    risk 0.64cvss 9.8epss 0.02

    Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.

  • CVE-2021-32802CriSep 7, 2021
    risk 0.61cvss 9.3epss 0.03

    Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There…

  • CVE-2018-3775HigAug 12, 2018
    risk 0.57cvss 8.8epss 0.01

    Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypass the 2 Factor Authentication.

  • CVE-2021-32656HigJun 1, 2021
    risk 0.56cvss 8.6epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate…

  • CVE-2021-32654HigJun 1, 2021
    risk 0.53cvss 8.1epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be…

  • CVE-2020-8259HigNov 16, 2020
    risk 0.53cvss 8.1epss 0.01

    Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the encryption keys.

  • CVE-2020-8121HigFeb 4, 2020
    risk 0.53cvss 8.1epss 0.01

    A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.

  • CVE-2018-16466HigOct 30, 2018
    risk 0.53cvss 8.1epss 0.01

    Improper revalidation of permissions in Nextcloud Server prior to 14.0.0, 13.0.6 and 12.0.11 lead to not accepting access restrictions by acess tokens.

  • CVE-2018-3761HigJul 5, 2018
    risk 0.53cvss 8.1epss 0.02

    Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.

  • CVE-2016-9463HigMar 28, 2017
    risk 0.53cvss 8.1epss 0.04

    Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB…

  • CVE-2019-15613HigFeb 4, 2020
    risk 0.52cvss 8.0epss 0.01

    A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.

  • CVE-2020-8154HigMay 12, 2020
    risk 0.50cvss 7.7epss 0.02

    An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.

  • CVE-2020-8295HigJan 26, 2021
    risk 0.49cvss 7.5epss 0.02

    A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.

  • CVE-2020-8183HigNov 2, 2020
    risk 0.49cvss 7.5epss 0.02

    A logic error in Nextcloud Server 19.0.0 caused a plaintext storage of the share password when it was given on the initial create API call.

  • CVE-2026-45281HigJun 1, 2026
    risk 0.46cvss 8.1epss 0.00

    Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, with the knowledge of other users’ principal URL an attacker could possibly send a request to gain full access to their calendar.…

  • CVE-2020-8236MedNov 2, 2020
    risk 0.44cvss 6.8epss 0.01

    A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.

  • CVE-2020-8293MedJan 26, 2021
    risk 0.42cvss 6.5epss 0.02

    A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.

  • CVE-2020-8223MedOct 5, 2020
    risk 0.42cvss 6.5epss 0.01

    A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves.

  • CVE-2020-8139MedMar 20, 2020
    risk 0.42cvss 6.5epss 0.02

    A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL.

  • CVE-2020-8138MedMar 20, 2020
    risk 0.42cvss 6.5epss 0.01

    A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

Page 1 of 7