VYPR

Vendor CVEs

Nextcloud

All CVEs

330 total · sorted by risk
  • CVE-2023-30539Apr 17, 2023
    risk 0.00cvss epss 0.01

    Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that…

  • CVE-2023-28999Apr 4, 2023
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can…

  • CVE-2023-28848Apr 4, 2023
    risk 0.00cvss epss 0.00

    user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request…

  • CVE-2023-28834Apr 3, 2023
    risk 0.00cvss epss 0.01

    Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user…

  • CVE-2023-28844Mar 31, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users…

  • CVE-2023-28645Mar 31, 2023
    risk 0.00cvss epss 0.01

    Nextcloud richdocuments is a Nextcloud app integrating the office suit Collabora Online. In affected versions the secure view feature of the rich documents app can be bypassed by using unprotected internal API endpoint of the rich documents app. It is recommended that the…

  • CVE-2023-28835Mar 30, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker…

  • CVE-2023-28833Mar 30, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access…

  • CVE-2023-28644Mar 30, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the…

  • CVE-2023-28643Mar 30, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended…

  • CVE-2023-28646Mar 30, 2023
    risk 0.00cvss epss 0.00

    Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This…

  • CVE-2023-25817Mar 27, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is…

  • CVE-2023-25818Mar 27, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are…

  • CVE-2023-25820Mar 22, 2023
    risk 0.00cvss epss 0.00

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as…

  • CVE-2023-25821Feb 24, 2023
    risk 0.00cvss epss 0.01

    Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is…

  • CVE-2023-25816Feb 24, 2023
    risk 0.00cvss epss 0.01

    Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in…

  • CVE-2023-25579Feb 22, 2023
    risk 0.00cvss epss 0.01

    Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to…

  • CVE-2023-25162Feb 13, 2023
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage…

  • CVE-2023-25161Feb 13, 2023
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service…

  • CVE-2023-25160Feb 13, 2023
    risk 0.00cvss epss 0.00

    Nextcloud Mail is an email app for the Nextcloud home server platform. Prior to versions 2.2.1, 1.14.5, 1.12.9, and 1.11.8, an attacker can access the mail box by ID getting the subjects and the first characters of the emails. Users should upgrade to Mail 2.2.1 for Nextcloud 25,…

  • CVE-2023-25159Feb 13, 2023
    risk 0.00cvss epss 0.00

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x…

  • CVE-2023-21436Feb 9, 2023
    risk 0.00cvss epss 0.00

    Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID.

  • CVE-2023-25150Feb 8, 2023
    risk 0.00cvss epss 0.01

    Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the…

  • CVE-2023-23943Feb 6, 2023
    risk 0.00cvss epss 0.01

    Nextcloud mail is an email app for the nextcloud home server platform. In affected versions the SMTP, IMAP and Sieve host fields allowed to scan for internal services and servers reachable from within the local network of the Nextcloud Server. It is recommended that the…

  • CVE-2023-23944Feb 6, 2023
    risk 0.00cvss epss 0.00

    Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access…

  • CVE-2023-22471Jan 14, 2023
    risk 0.00cvss epss 0.01

    Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Broken access control allows a user to delete attachments of other users. There are currently no known workarounds. It is recommended that the…

  • CVE-2023-22470Jan 14, 2023
    risk 0.00cvss epss 0.01

    Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated potentially causing a DoS when performed multiple times. There are currently no known workarounds. It is…

  • CVE-2023-22469Jan 10, 2023
    risk 0.00cvss epss 0.01

    Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that…

  • CVE-2023-22473Jan 9, 2023
    risk 0.00cvss epss 0.01

    Talk-Android enables users to have video & audio calls through Nextcloud on Android. Due to passcode bypass, an attacker is able to access the user's Nextcloud files and view conversations. To exploit this the attacker needs to have physical access to the target's device. There…

  • CVE-2023-22472Jan 9, 2023
    risk 0.00cvss epss 0.00

    Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in…

  • CVE-2022-39896Dec 8, 2022
    risk 0.00cvss epss 0.00

    Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.

  • CVE-2022-41971Dec 1, 2022
    risk 0.00cvss epss 0.01

    Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call…

  • CVE-2022-41970Dec 1, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked.…

  • CVE-2022-41969Dec 1, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11,…

  • CVE-2022-41968Dec 1, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5…

  • CVE-2022-39338Nov 25, 2022
    risk 0.00cvss epss 0.01

    user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint.…

  • CVE-2022-39334Nov 25, 2022
    risk 0.00cvss epss 0.00

    Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes…

  • CVE-2022-41926Nov 25, 2022
    risk 0.00cvss epss 0.00

    Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to…

  • CVE-2022-39339Nov 25, 2022
    risk 0.00cvss epss 0.00

    user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to…

  • CVE-2022-39332Nov 25, 2022
    risk 0.00cvss epss 0.01

    Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known…

  • CVE-2022-39346Nov 25, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud…

  • CVE-2022-39364Oct 27, 2022
    risk 0.00cvss epss 0.00

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain…

  • CVE-2022-39330Oct 27, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing…

  • CVE-2022-39329Oct 27, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without…

  • CVE-2022-39211Sep 16, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the…

  • CVE-2022-36074Sep 15, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that…

  • CVE-2022-36075Sep 15, 2022
    risk 0.00cvss epss 0.00

    Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access…

  • CVE-2022-31119Aug 4, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be…

  • CVE-2022-31132Aug 4, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery…

  • CVE-2022-31120Aug 4, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed.…

Page 4 of 7