cbcvebase.

Nextcloud Server vulnerabilities

189 known vulnerabilities affecting nextcloud/nextcloud_server.

Total CVEs
189
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL7HIGH42MEDIUM125LOW15

Vulnerabilities

Page 9 of 10
CVE-2017-0885P4MEDIUMCVSS 4.3fixed in 9.0.55≥ 10.0.0, < 10.0.2+1 more2017-04-05
CVE-2017-0885 [MEDIUM] CWE-209 CVE-2017-0885: Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message disclosing existence of file in write-only share. Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.
nvd
CVE-2019-5449P4MEDIUMCVSS 4.3fixed in 15.0.1v15.0.12019-07-30
CVE-2019-5449 [MEDIUM] CWE-287 CVE-2019-5449: A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event nam A missing check in the Nextcloud Server prior to version 15.0.1 causes leaking of calendar event names when adding or modifying confidential or private events.
nvd
CVE-2019-15616P4MEDIUMCVSS 4.3fixed in 17.0.0v17.0.02020-02-04
CVE-2019-15616 [MEDIUM] CWE-93 CVE-2019-15616: Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long. Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.
nvd
CVE-2020-8122P4MEDIUMCVSS 4.3fixed in 12.0.13≥ 13.0.0, < 13.0.8+3 more2020-02-04
CVE-2020-8122 [MEDIUM] CWE-284 CVE-2020-8122: A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expira A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.
nvd
CVE-2017-0884P4MEDIUMCVSS 4.3fixed in 9.0.55≥ 10.0.0, < 10.0.2+1 more2017-04-05
CVE-2017-0884 [MEDIUM] CWE-275 CVE-2017-0884: Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders de Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of folders in read-only folders despite lacking permissions issue. Due to a logical error in the file caching layer an authenticated adversary is able to create empty folders inside a shared folder. Note that this only affects folders and files that the adversary has at least read-only
nvd
CVE-2023-39961P4MEDIUMCVSS 4.3≥ 25.0.0, < 25.0.9≥ 26.0.0, < 26.0.4+1 more2023-08-10
CVE-2023-39961 [MEDIUM] CWE-284 CVE-2023-39961: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4
nvd
CVE-2021-22878P4MEDIUMCVSS 4.8fixed in 20.0.6vFixed in 20.0.62021-03-03
CVE-2021-22878 [MEDIUM] CWE-79 CVE-2021-22878: Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack o Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
nvd
CVE-2019-15619P4MEDIUMCVSS 4.8fixed in 16.0.4v16.0.42020-02-04
CVE-2019-15619 [MEDIUM] CWE-79 CVE-2019-15619: Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3 Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.
nvd
CVE-2019-15618P4MEDIUMCVSS 4.8fixed in 14.0.9≥ 15.0.0, < 15.0.6+1 more2020-02-04
CVE-2019-15618 [MEDIUM] CWE-79 CVE-2019-15618: Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting th Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.
nvd
CVE-2017-0894P4MEDIUMCVSS 4.3fixed in 11.0.3vbefore 11.0.32017-05-08
CVE-2017-0894 [MEDIUM] CWE-285 CVE-2017-0894: Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendar Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
nvd
CVE-2023-48305P4MEDIUMCVSS 4.4≥ 25.0.0, < 25.0.11≥ 26.0.0, < 26.0.6+1 more2023-11-21
CVE-2023-48305 [MEDIUM] CWE-312 CVE-2023-48305: Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in ver Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then le
nvd
CVE-2020-8117P4MEDIUMCVSS 4.3fixed in 12.0.13≥ 13.0.0, < 13.0.8+2 more2020-02-04
CVE-2020-8117 [MEDIUM] CWE-280 CVE-2020-8117: Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leake Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.
nvd
CVE-2020-8152P4MEDIUMCVSS 4.4fixed in 20.0.0vFixed in 20.0.02020-11-16
CVE-2020-8152 [MEDIUM] CWE-522 CVE-2020-8152: Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an att Insufficient protection of the server-side encryption keys in Nextcloud Server 19.0.1 allowed an attacker to replace the public key to decrypt them later on.
nvd
CVE-2024-52514P4LOWCVSS 3.5≥ 21.0.0, < 21.0.9.18≥ 22.0.0, < 22.2.10.23+6 more2024-11-15
CVE-2024-52514 [LOW] CWE-284 CVE-2024-52514: Nextcloud Server is a self hosted personal cloud system. After a user received a share with some fil Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommen
nvd
CVE-2019-5451P4MEDIUMCVSS 4.6fixed in 3.6.12019-07-30
CVE-2019-5451 [MEDIUM] CWE-288 CVE-2019-5451: Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the file Bypass lock protection in the Nextcloud Android app prior to version 3.6.1 allows accessing the files when repeatedly opening and closing the app in a very short time.
nvd
CVE-2021-32655P4LOWCVSS 3.5fixed in 19.0.11≥ 20.0.0, < 20.0.10+1 more2021-06-01
CVE-2021-32655 [LOW] CWE-241 CVE-2021-32655: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected
nvd
CVE-2024-22403P4LOWCVSS 3.7fixed in 28.0.02024-01-18
CVE-2024-22403 [LOW] CWE-613 CVE-2024-22403: Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not ex Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an a
nvd
CVE-2020-8150P4MEDIUMCVSS 4.1fixed in 19.0.2v19.0.22020-11-09
CVE-2020-8150 [MEDIUM] CWE-310 CVE-2020-8150: A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption sch A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.
nvd
CVE-2017-0892P4LOWCVSS 3.5fixed in 11.0.3vbefore 11.0.32017-05-08
CVE-2017-0892 [LOW] CWE-285 CVE-2017-0892: Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file.
nvd
CVE-2024-37887P4LOWCVSS 3.5≥ 27.0.0, < 27.1.10≥ 28.0.0, ≤ 28.0.6+2 more2024-06-14
CVE-2024-37887 [LOW] CWE-284 CVE-2024-37887: Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.
nvd
Nextcloud Server vulnerabilities | cvebase