CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22403 – OAuth2 authorization codes are valid indefinetly in Nextcloud server
https://notcve.org/view.php?id=CVE-2024-22403
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36 https://github.com/nextcloud/server/pull/40766 https://hackerone.com/reports/1784162 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX • CWE-613: Insufficient Session Expiration •
CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 1CVE-2023-48239 – Nextcloud Server users can make external storage mount points inaccessible for other users
https://notcve.org/view.php?id=CVE-2023-48239
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, and 27.1.3 and Nextcloud Enterprise Server is upgraded to 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 contain a patch for this issue. As a workaround, disable app files_external. This workaround also makes the external storage inaccessible but retains the configurations until a patched version has been deployed. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 https://github.com/nextcloud/server/pull/41123 https://hackerone.com/reports/2212627 • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 11EXPL: 0CVE-2023-39963 – Missing password confirmation when creating app passwords
https://notcve.org/view.php?id=CVE-2023-39963
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5 https://github.com/nextcloud/server/pull/39416 https://hackerone.com/reports/2067572 • CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 12EXPL: 0CVE-2023-39962 – Users can delete external storage mount points
https://notcve.org/view.php?id=CVE-2023-39962
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm https://github.com/nextcloud/server/pull/39323 https://hackerone.com/reports/2047168 • CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0CVE-2023-35928 – Nextcloud user scoped external storage can be used to gather credentials of other users
https://notcve.org/view.php?id=CVE-2023-35928
Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2. Three workarounds are available. Disable app files_external. Change config setting "Allow users to mount external storage" to disabled in "Administration" > "External storage" settings `…/index.php/settings/admin/externalstorages`. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h https://github.com/nextcloud/server/pull/38265 https://hackerone.com/reports/1978882 • CWE-274: Improper Handling of Insufficient Privileges •