CVE-2023-49790 – App PIN code can be bypassed in Nextcloud Files iOS
https://notcve.org/view.php?id=CVE-2023-49790
The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available. La aplicación Nextcloud iOS Files permite a los usuarios de iOS interactuar con Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/ios/pull/2665 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j8g7-88vv-rggv https://hackerone.com/reports/2245437 • CWE-287: Improper Authentication •
CVE-2023-28647 – App pin of the iOS app can be bypassed in Nextcloud iOS
https://notcve.org/view.php?id=CVE-2023-28647
Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain access to a users files. It is recommended that the Nextcloud iOS app is upgraded to 4.7.0. There are no known workarounds for this vulnerability. • https://github.com/nextcloud/ios/pull/2344 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wjgg-2v4p-2gq6 • CWE-281: Improper Preservation of Permissions CWE-287: Improper Authentication •
CVE-2022-39210 – Access to internal files of the Nextcloud Android app
https://notcve.org/view.php?id=CVE-2022-39210
Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the Nextcloud Android app is upgraded to 3.21.0. • https://github.com/nextcloud/android/pull/10544 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw2w-gpcv-v39f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-29160 – Sensitive files/data exist after deletion of user account in Nextcloud Android
https://notcve.org/view.php?id=CVE-2022-29160
Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder's information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available. • https://github.com/nextcloud/android/pull/9644 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xcj9-3jch-qr2r https://hackerone.com/reports/1222873 • CWE-284: Improper Access Control CWE-459: Incomplete Cleanup •
CVE-2022-24886 – Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client
https://notcve.org/view.php?id=CVE-2022-24886
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds. La aplicación Android de Nextcloud es el cliente Android para Nextcloud, una plataforma de productividad autoalojada. • https://github.com/nextcloud/android/pull/9726 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq https://hackerone.com/reports/1161401 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •