Nextcloud Security-Advisories vulnerabilities

CVE-2021-32678 [MEDIUM] CWE-799 CVE-2021-32678: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range

CVE-2021-32725 [MEDIUM] CWE-277 CVE-2021-32725: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32707 [MEDIUM] CWE-20 CVE-2021-32707: Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail applicati Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there wa

CVE-2021-32680 [LOW] CWE-778 CVE-2021-32680: Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.

CVE-2021-32694 [MEDIUM] CWE-248 CVE-2021-32694: Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.

CVE-2021-32695 [LOW] CWE-200 CVE-2021-32695: Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose the malicious app. The shared preferences contain some l

CVE-2021-32676 [MEDIUM] CWE-384 CVE-2021-32676: Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vu

CVE-2021-32658 [MEDIUM] CWE-200 CVE-2021-32658: Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a ti Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1

CVE-2021-32654 [CRITICAL] CWE-639 CVE-2021-32654: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.1

CVE-2021-32656 [HIGH] CWE-284 CVE-2021-32656: Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated shar Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supp

CVE-2021-32657 [MEDIUM] CWE-400 CVE-2021-32657: Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server p Nextcloud Server is a Nextcloud package that handles data storage. In versions of Nextcloud Server prior to 10.0.11, 20.0.10, and 21.0.2, a malicious user may be able to break the user administration page. This would disallow administrators to administrate users on the Nextcloud instance. The vulnerability is fixed in versions 19.0.11, 20.0.10, and

CVE-2021-32652 [MEDIUM] CWE-284 CVE-2021-32652: Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mai Nextcloud Mail is a mail app for the Nextcloud platform. A missing permission check in Nextcloud Mail before 1.4.3 and 1.8.2 allows another authenticated users to access mail metadata of other users. Versions 1.4.3 and 1.8.2 contain patches for this vulnerability; no workarounds other than the patches are known to exist.

CVE-2021-32655 [LOW] CWE-241 CVE-2021-32655: Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20. Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected

CVE-2021-32653 [LOW] CWE-201 CVE-2021-32653: Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior t Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.