Nextcloud Security-Advisories vulnerabilities

CVE-2024-52516 [MEDIUM] CWE-269 CVE-2024-52516: Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow s Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is

CVE-2024-52514 [LOW] CWE-284 CVE-2024-52514: Nextcloud Server is a self hosted personal cloud system. After a user received a share with some fil Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommen

CVE-2024-37882 [HIGH] CWE-284 CVE-2024-37882: Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share perm Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.

CVE-2024-37313 [HIGH] CWE-287 CVE-2024-37313: Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0

CVE-2024-37885 [HIGH] CWE-94 CVE-2024-37885: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.

CVE-2024-37316 [MEDIUM] CWE-241 CVE-2024-37316: Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with m Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2.

CVE-2024-37884 [MEDIUM] CWE-284 CVE-2024-37884: Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete re Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.

CVE-2024-37883 [MEDIUM] CWE-284 CVE-2024-37883: Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organizati Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A user with access to a deck board was able to access comments and attachments of already deleted cards. It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or

CVE-2024-37315 [MEDIUM] CWE-284 CVE-2024-37315: Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.1

CVE-2024-37886 [MEDIUM] CWE-347 CVE-2024-37886: user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick t user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.

CVE-2024-37317 [MEDIUM] CWE-284 CVE-2024-37317: The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.

CVE-2024-37312 [MEDIUM] CWE-284 CVE-2024-37312: user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me e user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0

CVE-2024-37887 [LOW] CWE-284 CVE-2024-37887: Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.

CVE-2024-37314 [LOW] CWE-284 CVE-2024-37314: Nextcloud Photos is a photo management app. Users can remove photos from the album of registered use Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.

CVE-2024-22212 [CRITICAL] CWE-306 CVE-2024-22212: Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. T

CVE-2024-22402 [MEDIUM] CWE-281 CVE-2024-22402: Nextcloud guests app is a utility to create guest users which can only see files shared with them. I Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1

CVE-2024-22401 [MEDIUM] CWE-281 CVE-2024-22401: Nextcloud guests app is a utility to create guest users which can only see files shared with them. I Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerabi

CVE-2024-22400 [MEDIUM] CWE-601 CVE-2024-22400: Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions us Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no known workarounds for this issue.

CVE-2024-22213 [MEDIUM] CWE-79 CVE-2024-22213: Deck is a kanban style organization tool aimed at personal planning and project organization for tea Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. Th

CVE-2024-22404 [MEDIUM] CWE-281 CVE-2024-22404: Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Next Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.