VYPR

Vendor CVEs

Nextcloud

All CVEs

330 total · sorted by risk
  • CVE-2022-31118Aug 4, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the…

  • CVE-2022-31131Jul 6, 2022
    risk 0.00cvss epss 0.01

    Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users.…

  • CVE-2022-31014Jul 5, 2022
    risk 0.00cvss epss 0.02

    Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack…

  • CVE-2022-31024Jun 2, 2022
    risk 0.00cvss epss 0.01

    richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and…

  • CVE-2022-29243May 31, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into…

  • CVE-2022-29163May 20, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a link that is not password protected even if the administrator requires links to be password protected. Versions 22.2.6 and…

  • CVE-2022-29160May 20, 2022
    risk 0.00cvss epss 0.00

    Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information.…

  • CVE-2022-24906May 20, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround…

  • CVE-2022-29159May 20, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this…

  • CVE-2022-24889Apr 27, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding…

  • CVE-2022-24888Apr 27, 2022
    risk 0.00cvss epss 0.01

    Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects…

  • CVE-2022-24886Apr 27, 2022
    risk 0.00cvss epss 0.00

    Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself.…

  • CVE-2021-41233Mar 10, 2022
    risk 0.00cvss epss 0.01

    Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful…

  • CVE-2022-24741Mar 9, 2022
    risk 0.00cvss epss 0.02

    Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud…

  • CVE-2021-41241Mar 8, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted…

  • CVE-2021-41239Mar 8, 2022
    risk 0.00cvss epss 0.01

    Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings…

  • CVE-2021-41166Jan 26, 2022
    risk 0.00cvss epss 0.01

    The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may…

  • CVE-2021-43863Jan 25, 2022
    risk 0.00cvss epss 0.02

    The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security…

  • CVE-2021-25524Dec 8, 2021
    risk 0.00cvss epss 0.00

    Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.

  • CVE-2021-41256Nov 30, 2021
    risk 0.00cvss epss 0.01

    nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected…

  • CVE-2021-25507Nov 5, 2021
    risk 0.00cvss epss 0.00

    Improper authorization vulnerability in Samsung Flow mobile application prior to 4.8.03.5 allows Samsung Flow PC application connected with user device to access part of notification data in Secure Folder without authorization.

  • CVE-2021-41179Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user…

  • CVE-2021-41178Oct 25, 2021
    risk 0.00cvss epss 0.02

    Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged…

  • CVE-2021-41177Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or…

  • CVE-2021-39224Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file…

  • CVE-2021-39225Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9,…

  • CVE-2021-39223Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see…

  • CVE-2021-39221Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file…

  • CVE-2021-39220Oct 25, 2021
    risk 0.00cvss epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform The Nextcloud Mail application prior to versions 1.10.4 and 1.11.0 does by default not render images in emails to not leak the read state or user IP. The privacy filter failed to filter images with a relative…

  • CVE-2021-32802Sep 7, 2021
    risk 0.00cvss epss 0.03

    Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There…

  • CVE-2021-32801Sep 7, 2021
    risk 0.00cvss epss 0.00

    Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded…

  • CVE-2021-32800Sep 7, 2021
    risk 0.00cvss epss 0.02

    Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account.…

  • CVE-2021-37629Sep 7, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is a lack of rate limiting on the Richdocuments OCS endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. It is recommended that the Nextcloud…

  • CVE-2021-37628Sep 7, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features ("Upload Only" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share.…

  • CVE-2021-32782Sep 7, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this…

  • CVE-2021-37630Sep 7, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any "Secret Circle" without approval by the Circle owner leaking private information. It is recommended that…

  • CVE-2021-37631Sep 7, 2021
    risk 0.00cvss epss 0.01

    Deck is an open source kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions the Deck application didn't properly check membership of users in a Circle. This allowed other users in the…

  • CVE-2021-32748Jul 27, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web Application Open Platform Interface") protocol to communicate with the Collabora Editor, the communication between these two services was not protected by a credentials or IP…

  • CVE-2021-32741Jul 12, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue…

  • CVE-2021-32734Jul 12, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on…

  • CVE-2021-32726Jul 12, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.…

  • CVE-2021-32725Jul 12, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3.…

  • CVE-2021-32707Jul 12, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the…

  • CVE-2021-32705Jul 12, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The…

  • CVE-2021-32703Jul 12, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in…

  • CVE-2021-32688Jul 12, 2021
    risk 0.00cvss epss 0.02

    Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the…

  • CVE-2021-32680Jul 12, 2021
    risk 0.00cvss epss 0.00

    Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged.…

  • CVE-2021-32679Jul 12, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`,…

  • CVE-2021-32678Jul 12, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends…

  • CVE-2021-32694Jun 17, 2021
    risk 0.00cvss epss 0.01

    Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.

Page 5 of 7