CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22403 – OAuth2 authorization codes are valid indefinetly in Nextcloud server
https://notcve.org/view.php?id=CVE-2024-22403
18 Jan 2024 — Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36 • CWE-613: Insufficient Session Expiration •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 1CVE-2023-48306 – Nextcloud Server DNS pin middleware can be tricked into DNS rebinding allowing SSRF
https://notcve.org/view.php?id=CVE-2023-48306
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, the DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise S... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f69-f9jg-4x3v • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 1CVE-2023-48304 – Nextcloud Server vulnerable to attacker enabling/disabling birthday calendar for any user
https://notcve.org/view.php?id=CVE-2023-48304
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 22.2.10.16, 2... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 1CVE-2023-48239 – Nextcloud Server users can make external storage mount points inaccessible for other users
https://notcve.org/view.php?id=CVE-2023-48239
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, an... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-45148 – Rate limiter not working reliable when Memcached is installed in Nextcloud
https://notcve.org/view.php?id=CVE-2023-45148
16 Oct 2023 — Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached. Nextcloud es un servidor en la nube doméstico de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-39960 – Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint
https://notcve.org/view.php?id=CVE-2023-39960
13 Oct 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this is... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.1EPSS: 0%CPEs: 11EXPL: 0CVE-2023-39963 – Missing password confirmation when creating app passwords
https://notcve.org/view.php?id=CVE-2023-39963
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9,... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5 • CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 12EXPL: 0CVE-2023-39962 – Users can delete external storage mount points
https://notcve.org/view.php?id=CVE-2023-39962
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.1... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm • CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-39958 – Missing brute force protection on password reset token OAuth2 API controller
https://notcve.org/view.php?id=CVE-2023-39958
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are av... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-39952 – Advanced permissions not respected when copying entire group folders
https://notcve.org/view.php?id=CVE-2023-39952
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch... • https://github.com/nextcloud/groupfolders/issues/1906 • CWE-284: Improper Access Control •