6 results (0.010 seconds)

CVSS: 5.8EPSS: 0%CPEs: 5EXPL: 0

Nextcloud office/richdocuments is an office suit for the nextcloud server platform. In affected versions the Collabora integration can be tricked to provide access to any file without proper permission validation. As a result any user with access to Collabora can obtain the content of other users files. It is recommended that the Nextcloud Office App (Collabora Integration) is updated to 7.0.2 (Nextcloud 25), 6.3.2 (Nextcloud 24), 5.0.10 (Nextcloud 23), 4.2.9 (Nextcloud 21-22), or 3.8.7 (Nextcloud 15-20). There are no known workarounds for this issue. • https://github.com/nextcloud/richdocuments/pull/2669 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64xc-r58v-53gj https://hackerone.com/reports/1788222 • CWE-284: Improper Access Control CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

richdocuments is the repository for NextCloud Collabra, the app for Nextcloud Office collaboration. Prior to versions 6.0.0, 5.0.4, and 4.2.6, a user could be tricked into working against a remote Office by sending them a federated share. richdocuments versions 6.0.0, 5.0.4 and 4.2.6 contain a fix for this issue. There are currently no known workarounds available. richdocuments es el repositorio de NextCloud Collabra, la aplicación para la colaboración de Nextcloud Office. En versiones anteriores a 6.0.0, 5.0.4 y 4.2.6, podía engañarse a un usuario para que trabajara con un Office remoto mediante el envío de un recurso compartido federado. Las versiones 6.0.0, 5.0.4 y 4.2.6 de richdocuments contienen una corrección para este problema. • https://github.com/nextcloud/richdocuments/pull/2161 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-94hr-7g4v-f53r https://hackerone.com/reports/1210424 • CWE-284: Improper Access Control CWE-346: Origin Validation Error •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the Richdocuments application is upgraded to 3.8.6 or 4.2.3. • https://github.com/nextcloud/richdocuments/pull/1760 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-rjcc-4cgj-6v93 https://hackerone.com/reports/1253460 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

Nextcloud Richdocuments is an open source collaborative office suite. In affected versions there is a lack of rate limiting on the Richdocuments OCS endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. It is recommended that the Nextcloud Richdocuments app is upgraded to either 3.8.4 or 4.2.1 to resolve. For users unable to upgrade it is recommended that the Richdocuments application be disabled. • https://github.com/nextcloud/richdocuments/pull/1663 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gvvr-h36p-8mjx https://hackerone.com/reports/1258750 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

Nextcloud Richdocuments is an open source collaborative office suite. In affected versions the File Drop features ("Upload Only" public link shares in Nextcloud) can be bypassed using the Nextcloud Richdocuments app. An attacker was able to read arbitrary files in such a share. It is recommended that the Nextcloud Richdocuments is upgraded to 3.8.4 or 4.2.1. If upgrading is not possible then it is recommended to disable the Richdocuments application. • https://github.com/nextcloud/richdocuments/pull/1664 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxhh-954f-8w7w https://hackerone.com/reports/1253403 • CWE-639: Authorization Bypass Through User-Controlled Key •