Nextcloud Security-Advisories vulnerabilities

CVE-2022-36075 [MEDIUM] CWE-200 CVE-2022-36075: Nextcloud files access control is a nextcloud app to manage access control for files. Users with lim Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known work

CVE-2022-35931 [LOW] CWE-261 CVE-2022-35931: Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules fo Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords that the validator itself would block. Upgrade Nextcloud Server to 22.2.10, 23.0.7 or 24.0.3 to receive a patch fo

CVE-2022-35932 [MEDIUM] CWE-359 CVE-2022-35932: Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7 Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently n

CVE-2022-31132 [CRITICAL] CWE-918 CVE-2022-31132: Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions s Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions shipped with a CSS minifier on the path `./vendor/cerdic/css-tidy/css_optimiser.php`. Access to the minifier is unrestricted and access may lead to Server-Side Request Forgery (SSRF). It is recommendet to upgrade to Mail 1.12.7 or Mail 1.13.6. Users

CVE-2022-31119 [MEDIUM] CWE-532 CVE-2022-31119: Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions o Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1.

CVE-2022-31118 [MEDIUM] CWE-770 CVE-2022-31118: Nextcloud server is an open source personal cloud solution. In affected versions an attacker could b Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrad

CVE-2022-31120 [MEDIUM] CWE-778 Federated share accepting/declining is not logged in audit log in Nextcloud Server Federated share accepting/declining is not logged in audit log in Nextcloud Server Nextcloud server is an open source personal cloud solution. The audit log is used to get a full trail of the actions which has been incompletely populated. In affected versions federated share events were not properly logged which would allow brute force attacks to go unnoticed. This behavior exacerb

CVE-2022-31131 [MEDIUM] CWE-287 CVE-2022-31131: Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. Ther

CVE-2022-31014 [LOW] CWE-74 CVE-2022-31014: Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnera Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as th

CVE-2022-31024 [MEDIUM] CWE-284 CVE-2022-31024: richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarou

CVE-2022-29243 [MEDIUM] CWE-20 CVE-2022-29243: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.

CVE-2022-24906 [MEDIUM] CWE-200 CVE-2022-24906: Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud, similar to Trello. The full path of the application is exposed to unauthorized users. It is recommended that the Nextcloud Deck app is upgraded to 1.2.11, 1.4.6, or 1.5.4. There is no workaround available.

CVE-2022-29163 [MEDIUM] CWE-671 CVE-2022-29163: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a link that is not password protected even if the administrator requires links to be password protected. Versions 22.2.6 and 23.0.3 contain a patch for this issue. There are currently no known workar

CVE-2022-29159 [MEDIUM] CWE-639 CVE-2022-29159: Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior Nextcloud Deck is a Kanban-style project & personal management tool for Nextcloud. In versions prior to 1.4.8, 1.5.6, and 1.6.1, an authenticated user can move stacks with cards from their own board to a board of another user. The Nextcloud Deck app contains a patch for this issue in versions 1.4.8, 1.5.6, and 1.6.1. There are no known currently-kno

CVE-2022-29160 [LOW] CWE-284 CVE-2022-29160: Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There ar

CVE-2022-24890 [MEDIUM] CWE-200 CVE-2022-24890: Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.

CVE-2022-24889 [MEDIUM] CWE-345 CVE-2022-24889: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 21.0.8, 22.2.4, and 23.0.1, it is possible to trick administrators into enabling "recommended" apps for the Nextcloud server that they do not need, thus expanding their attack surface unnecessarily. This issue is fixed in versions 21.0.

CVE-2022-24888 [MEDIUM] CWE-74 CVE-2022-24888: Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Pri Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names,

CVE-2022-24887 [MEDIUM] CWE-601 CVE-2022-24887: Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platf Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are cur

CVE-2022-24885 [LOW] CWE-287 CVE-2022-24885: Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prio Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds.