Nextcloud Server vulnerabilities

CVE-2023-39962 [HIGH] CWE-284 CVE-2023-39962: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well.

CVE-2023-39963 [HIGH] CWE-284 CVE-2023-39963: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwo

CVE-2023-39961 [LOW] CWE-284 CVE-2023-39961: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, a

CVE-2023-39958 [MEDIUM] CWE-307 CVE-2023-39958: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1

CVE-2023-39959 [LOW] CWE-284 CVE-2023-39959: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, an

CVE-2023-39952 [MEDIUM] CWE-284 CVE-2023-39952: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud

CVE-2023-35172 [HIGH] CWE-307 CVE-2023-35172: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7,

CVE-2023-35927 [HIGH] CWE-284 CVE-2023-35927: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7,

CVE-2023-35928 [HIGH] CWE-274 CVE-2023-35928: Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In N Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.

CVE-2023-35171 [MEDIUM] CWE-601 CVE-2023-35171: NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted p NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2

CVE-2023-32320 [HIGH] CWE-307 CVE-2023-32320: Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When m Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel

CVE-2023-32318 [HIGH] CWE-613 CVE-2023-32318: Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Se Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be aut

CVE-2023-32319 [HIGH] CWE-307 CVE-2023-32319: Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0

CVE-2023-28847 [LOW] CWE-307 CVE-2023-28847: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links

CVE-2023-30539 [MEDIUM] CWE-284 CVE-2023-30539: Nextcloud is a personal home server system. Depending on the set up tags and other workflows this is Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Ent

CVE-2023-28834 [LOW] CWE-212 CVE-2023-28834: Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 2 Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from

CVE-2023-28844 [MEDIUM] CWE-284 CVE-2023-28844: Nextcloud server is an open source home cloud implementation. In affected versions users that should Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnera

CVE-2023-28835 [LOW] CWE-338 CVE-2023-28835: Nextcloud server is an open source home cloud implementation. In affected versions the generated fal Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgrad

CVE-2023-28833 [LOW] CWE-22 CVE-2023-28833: Nextcloud server is an open source home cloud implementation. In affected versions admins of a serve Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited by

CVE-2023-28643 [MEDIUM] CWE-706 CVE-2023-28643: Nextcloud server is an open source home cloud implementation. In affected versions when a recipient Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to