Nextcloud Server vulnerabilities

CVE-2023-26482 [CRITICAL] CWE-78 CVE-2023-26482: Nextcloud server is an open source home cloud implementation. In affected versions a missing scope v Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server.

CVE-2023-28644 [MEDIUM] CWE-400 CVE-2023-28644: Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch befor Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is upgraded to 25.0.3. There are no known workarounds for this

CVE-2023-25818 [MEDIUM] CWE-307 CVE-2023-25818: Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute res

CVE-2023-25817 [LOW] CWE-281 CVE-2023-25817: Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and befor Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known wor

CVE-2023-25820 [MEDIUM] CWE-307 CVE-2023-25820: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x

CVE-2023-25821 [MEDIUM] CWE-284 CVE-2023-25821: Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and Nextcloud is an Open Source private cloud software. Versions 24.0.4 and above, prior to 24.0.7, and 25.0.0 and above, prior to 25.0.1, contain Improper Access Control. Secure view for internal shares can be circumvented if reshare permissions are also given. This issue is patched in versions 24.0.7 and 25.0.1. No workaround is available.

CVE-2023-25816 [MEDIUM] CWE-400 CVE-2023-25816: Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are Nextcloud is an Open Source private cloud software. Versions 25.0.0 and above, prior to 25.0.3, are subject to Uncontrolled Resource Consumption. A user can configure a very long password, consuming more resources on password validation than desired. This issue is patched in 25.0.3 No workaround is available.

CVE-2023-25579 [MEDIUM] CWE-22 CVE-2023-25579: Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder Nextcloud server is a self hosted home cloud product. In affected versions the `OC\Files\Node\Folder::getFullPath()` function was validating and normalizing the string in the wrong order. The function is used in the `newFile()` and `newFolder()` items, which may allow to creation of paths outside of ones own space and overwriting data from other user

CVE-2023-25161 [LOW] CWE-284 CVE-2023-25161: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services.

CVE-2023-25162 [MEDIUM] CWE-918 CVE-2023-25162: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which

CVE-2023-25159 [LOW] CWE-284 CVE-2023-25159: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocument

CVE-2022-41970 [LOW] CWE-284 CVE-2022-41970: Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disab Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workarounds

CVE-2022-41968 [LOW] CWE-400 CVE-2022-41968: Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, cale Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.10 and 24.0.5, calendar name lengths are not validated before writing to a database. As a result, an attacker can send unnecessary amounts of data against the database. Version 23.0.10 and 24.0.5 contain patches for the issue. No known workarounds are available.

CVE-2022-41969 [LOW] CWE-400 CVE-2022-41969: Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25. Nextcloud Server is an open source personal cloud server. Prior to versions 23.0.11, 24.0.7, and 25.0.0, there is no password length limit when creating a user as an administrator. An administrator can cause a limited DoS attack against their own server. Versions 23.0.11, 24.0.7, and 25.0.0 contain a fix for the issue. As a workaround, don't create use

CVE-2022-39346 [LOW] CWE-20 CVE-2022-39346: Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds f

CVE-2022-39364 [MEDIUM] CWE-312 CVE-2022-39364: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Ser

CVE-2022-39329 [LOW] CWE-284 CVE-2022-39329: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this i

CVE-2022-39330 [MEDIUM] CWE-400 CVE-2022-39330: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nex Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server

CVE-2022-39211 [LOW] CWE-918 CVE-2022-39211: Nextcloud server is an open source personal cloud platform. In affected versions it was found that l Nextcloud server is an open source personal cloud platform. In affected versions it was found that locally running webservices can be found and requested erroneously. It is recommended that the Nextcloud Server is upgraded to 23.0.8 or 24.0.4. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.10.4, 23.0.8 or 24.0.4. There are n

CVE-2022-36074 [MEDIUM] CWE-200 CVE-2022-36074: Nextcloud server is an open source personal cloud product. Affected versions of this package are vul Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended th