cbcvebase.

Nextcloud Server vulnerabilities

189 known vulnerabilities affecting nextcloud/nextcloud_server.

Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15

Vulnerabilities

Page 7 of 10
CVE-2019-15617P4MEDIUMCVSS 5.4fixed in 17.0.1v17.0.12020-02-04
CVE-2019-15617 [MEDIUM] CWE-287 CVE-2019-15617: A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when tr A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.
nvd
CVE-2018-16465P4MEDIUMCVSS 5.3fixed in 14.0.0v<14.0.02018-10-30
CVE-2018-16465 [MEDIUM] CWE-287 CVE-2018-16465: Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at lo Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load.
nvd
CVE-2022-41970P4MEDIUMCVSS 5.3≥ 24.0.0, < 24.0.7v25.0.02022-12-01
CVE-2022-41970 [MEDIUM] CWE-284 CVE-2022-41970: Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disab Nextcloud Server is an open source personal cloud server. Prior to versions 24.0.7 and 25.0.1, disabled download shares still allow download through preview images. Images could be downloaded and previews of documents (first page) can be downloaded without being watermarked. Versions 24.0.7 and 25.0.1 contain a fix for this issue. No known workaroun
nvd
CVE-2020-8118P4MEDIUMCVSS 5.0fixed in 15.0.9≥ 16.0.0, < 16.0.2+1 more2020-02-04
CVE-2020-8118 [MEDIUM] CWE-918 CVE-2020-8118: An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.
nvd
CVE-2019-15624P4MEDIUMCVSS 4.9fixed in 14.0.11≥ 15.0.0, < 15.0.8+1 more2020-02-04
CVE-2019-15624 [MEDIUM] CWE-20 CVE-2019-15624: Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.
nvd
CVE-2023-25159P4MEDIUMCVSS 5.3≥ 24.0.4, ≤ 24.0.8v24.0.2+1 more2023-02-13
CVE-2023-25159 [MEDIUM] CWE-284 CVE-2023-25159: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Office is a document collaboration app for the same platform. Nextcloud Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, Nextcloud Enterprise Server 24.0.x prior to 24.0.8 and 25.0.x prior to 25.0.1, and Nextcloud Office (Richdocum
nvd
CVE-2016-9461P4MEDIUMCVSS 4.3fixed in 9.0.522017-03-28
CVE-2016-9461 [MEDIUM] CWE-275 CVE-2016-9461: Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify exi
nvd
CVE-2019-15612P4MEDIUMCVSS 5.9≥ 13.0.0, < 13.0.11≥ 14.0.0, < 14.0.7+2 more2020-02-04
CVE-2019-15612 [MEDIUM] CWE-384 CVE-2019-15612: A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the pass A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
nvd
CVE-2017-0890P4MEDIUMCVSS 5.4fixed in 11.0.3vbefore 11.0.32017-05-08
CVE-2017-0890 [MEDIUM] CWE-79 CVE-2017-0890: Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerabilit Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.
nvd
CVE-2021-32801P4MEDIUMCVSS 5.5fixed in 20.0.12≥ 21.0.0, < 21.0.4+1 more2021-09-07
CVE-2021-32801 [MEDIUM] CWE-532 CVE-2021-32801: Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exce Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are ad
nvd
CVE-2020-8133P4MEDIUMCVSS 5.3v19.0.1v19.0.22020-11-09
CVE-2020-8133 [MEDIUM] CWE-657 CVE-2020-8133: A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an a A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
nvd
CVE-2016-9462P4MEDIUMCVSS 4.3fixed in 9.0.522017-03-28
CVE-2016-9462 [MEDIUM] CWE-275 CVE-2016-9462: Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore pri Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.
nvd
CVE-2021-32657P4MEDIUMCVSS 4.3fixed in 19.0.11≥ 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32657 [MEDIUM] CWE-400 CVE-2021-32657: Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server p Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and
nvd
CVE-2020-8120P4MEDIUMCVSS 6.1v16.0.12020-02-04
CVE-2020-8120 [MEDIUM] CWE-79 CVE-2020-8120: A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation.
nvd
CVE-2020-8155P4MEDIUMCVSS 5.4fixed in 18.0.3v18.0.32020-05-12
CVE-2020-8155 [MEDIUM] CWE-79 CVE-2020-8155: An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-sit An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF.
nvd
CVE-2017-0893P4MEDIUMCVSS 5.4fixed in 9.0.58≥ 10.0.0, < 10.0.5+2 more2017-05-08
CVE-2017-0893 [MEDIUM] CWE-79 CVE-2017-0893: Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library fo Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.
nvd
CVE-2017-0891P4MEDIUMCVSS 5.4fixed in 9.0.58≥ 10.0.0, < 10.0.5+2 more2017-05-08
CVE-2017-0891 [MEDIUM] CWE-79 CVE-2017-0891: Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of err Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components.
nvd
CVE-2022-24888P4MEDIUMCVSS 4.3fixed in 20.0.14.4≥ 21.0.0, < 21.0.8+2 more2022-04-27
CVE-2022-24888 [MEDIUM] CWE-74 CVE-2022-24888: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names,
nvd
CVE-2023-48304P4MEDIUMCVSS 4.3≥ 22.0.0, ≤ 22.2.10.16≥ 23.0.0, < 23.0.12.11+4 more2023-11-21
CVE-2023-48304 [MEDIUM] CWE-639 CVE-2023-48304: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could ena
nvd
CVE-2025-47794P4MEDIUMCVSS 4.3≥ 26.0.0, < 26.0.13.13≥ 27.0.0, < 27.1.11.13+4 more2025-05-16
CVE-2025-47794 [MEDIUM] CWE-284 CVE-2025-47794: Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0. Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 29.0.13, 30.0.7, and 31.0.1 and Nextcloud Enterprise Server prior to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, and 31.0.1, an attacker on a multi-user system may read temporary files from Nextcloud running with a different user account, or run a symlink a
nvd
Nextcloud Server vulnerabilities | cvebase