cbcvebase.

Nextcloud Server vulnerabilities

189 known vulnerabilities affecting nextcloud/nextcloud_server.

Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15

Vulnerabilities

Page 2 of 10
CVE-2021-41177P3HIGHCVSS 8.1fixed in 20.0.13≥ 21.0.0, < 21.0.5+1 more2021-10-25
CVE-2021-41177 [HIGH] CWE-799 CVE-2021-41177: Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, a Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache b
nvd
CVE-2023-35927P3HIGHCVSS 8.1≥ 16.0.0, < 19.0.13.9≥ 20.0.0, < 20.0.14.14+6 more2023-06-23
CVE-2023-35927 [HIGH] CWE-284 CVE-2023-35927: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7,
nvd
CVE-2024-52519P3HIGHCVSS 8.2≥ 27.0.0, < 27.1.11.8≥ 28.0.0, < 28.0.10+1 more2024-11-15
CVE-2024-52519 [HIGH] CWE-922 CVE-2024-52519: Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is
nvd
CVE-2023-25817P3HIGHCVSS 8.1≥ 24.0.0, < 24.0.92023-03-27
CVE-2023-25817 [HIGH] CWE-281 CVE-2023-25817: Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and befor Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known wo
nvd
CVE-2024-37882P3HIGHCVSS 8.1≥ 26.0.0, < 26.0.13≥ 27.0.0, < 27.1.8+4 more2024-06-14
CVE-2024-37882 [HIGH] CWE-284 CVE-2024-37882: Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share perm Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.
nvd
CVE-2021-32705P3HIGHCVSS 7.5fixed in 19.0.13≥ 20.0.0, < 20.0.11+1 more2021-07-12
CVE-2021-32705 [HIGH] CWE-799 CVE-2021-32705: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known
nvd
CVE-2023-39962P3HIGHCVSS 7.7≥ 19.0.0, < 19.0.13.10≥ 20.0.0, < 20.0.14.15+7 more2023-08-10
CVE-2023-39962 [HIGH] CWE-284 CVE-2023-39962: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well.
nvd
CVE-2023-39960P3HIGHCVSS 7.5≥ 22.0.0, < 22.2.10.14≥ 23.0.0, < 23.0.12.9+3 more2023-10-13
CVE-2023-39960 [HIGH] CWE-307 CVE-2023-39960: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Se Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the
nvd
CVE-2020-8154P3HIGHCVSS 7.7fixed in 17.0.5≥ 18.0.0, < 18.0.3+1 more2020-05-12
CVE-2020-8154 [HIGH] CWE-639 CVE-2020-8154: An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint.
nvd
CVE-2023-25821P3HIGHCVSS 7.5≥ 24.0.4, < 24.0.7v25.0.02023-02-25
CVE-2023-25821 [HIGH] CWE-284 CVE-2023-25821: Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.
nvd
CVE-2023-32320P3HIGHCVSS 7.5≥ 21.0.0, < 21.0.9.12≥ 22.0.0, < 22.2.10.12+4 more2023-06-22
CVE-2023-32320 [HIGH] CWE-307 CVE-2023-32320: Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When m Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel
nvd
CVE-2023-28847P3HIGHCVSS 7.5≥ 23.0.0, < 23.0.12.6≥ 24.0.0, < 24.0.11+1 more2023-04-25
CVE-2023-28847 [HIGH] CWE-307 CVE-2023-28847: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share link
nvd
CVE-2023-28835P3HIGHCVSS 7.5≥ 23.0.0, < 23.0.14≥ 24.0.0, < 24.0.10+1 more2023-03-30
CVE-2023-28835 [HIGH] CWE-338 CVE-2023-28835: Nextcloud server is an open source home cloud implementation. In affected versions the generated fal Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgra
nvd
CVE-2023-25579P3HIGHCVSS 7.5fixed in 23.0.12≥ 20.0.0, < 20.0.14+5 more2023-02-22
CVE-2023-25579 [HIGH] CWE-22 CVE-2023-25579: Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other users
nvd
CVE-2024-52525P3HIGHCVSS 7.5≥ 28.0.0, < 28.0.12≥ 29.0.0, < 29.0.9+1 more2024-11-15
CVE-2024-52525 [HIGH] CWE-312 CVE-2024-52525: Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the clea
nvd
CVE-2026-45279P3MEDIUMCVSS 6.5≥ 31.0.0, < 31.0.14≥ 32.0.0, < 32.0.4+3 more2026-06-01
CVE-2026-45279 [MEDIUM] CWE-22 CVE-2026-45279: Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.14, and 32.0.0 to before 32.0.4, if {lang} is used in the template directory config value, non-admin users can in some cases copy arbitrary files (depending on unix permissions) into their own Nextcloud directory via a path traversal. I
nvd
CVE-2018-3761P3HIGHCVSS 8.1fixed in 12.0.8≥ 13.0.0, < 13.0.3+1 more2018-07-05
CVE-2018-3761 [HIGH] CWE-287 CVE-2018-3761: Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token en Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised.
nvd
CVE-2023-25820P3HIGHCVSS 7.8≥ 21.0.0, < 21.0.9≥ 22.2.0, < 22.2.10.10+3 more2023-03-22
CVE-2023-25820 [HIGH] CWE-307 CVE-2023-25820: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x p
nvd
CVE-2022-36074P3HIGHCVSS 7.5fixed in 23.0.7≥ 24.0.0, < 24.0.32022-09-15
CVE-2022-36074 [HIGH] CWE-200 CVE-2022-36074: Nextcloud server is an open source personal cloud product. Affected versions of this package are vul Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that
nvd
CVE-2024-37313P3HIGHCVSS 7.5≥ 21.0.0, < 21.0.9.17≥ 22.0.0, < 22.2.10.22+6 more2024-06-14
CVE-2024-37313 [HIGH] CWE-287 CVE-2024-37313: Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0
nvd
Nextcloud Server vulnerabilities | cvebase