CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-45149 – Password of talk conversations can be bruteforced in Nextcloud
https://notcve.org/view.php?id=CVE-2023-45149
Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability. Nextcloud talk es un módulo de chat para la plataforma del servidor Nextcloud. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv https://github.com/nextcloud/spreed/pull/10545 https://hackerone.com/reports/2094473 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-45148 – Rate limiter not working reliable when Memcached is installed in Nextcloud
https://notcve.org/view.php?id=CVE-2023-45148
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached. Nextcloud es un servidor en la nube doméstico de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63 https://github.com/nextcloud/server/pull/40293 https://hackerone.com/reports/2110945 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-45151 – OAuth2 client_secret stored in plain text in the Nextcloud database
https://notcve.org/view.php?id=CVE-2023-45151
Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability. El servidor Nextcloud es una plataforma de nube doméstica de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9 https://github.com/nextcloud/server/pull/38398 https://hackerone.com/reports/1994324 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45660 – Require strict cookies for image proxy requests in Nextcloud Mail
https://notcve.org/view.php?id=CVE-2023-45660
Nextcloud mail is an email app for the Nextcloud home server platform. In affected versions a missing check of origin, target and cookies allows for an attacker to abuse the proxy endpoint to denial of service a third server. It is recommended that the Nextcloud Mail is upgraded to 2.2.8 or 3.3.0. There are no known workarounds for this vulnerability. Nextcloud mail es una aplicación de correo electrónico para la plataforma de servidor doméstico Nextcloud. • https://github.com/nextcloud/mail/pull/8459 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8j9x-fmww-qr37 https://hackerone.com/reports/1895874 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-39960 – Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint
https://notcve.org/view.php?id=CVE-2023-39960
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available. Nextcloud Server proporciona almacenamiento de datos para Nextcloud, una plataforma en la nube de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 https://github.com/nextcloud/server/pull/38046 https://hackerone.com/reports/1924212 • CWE-307: Improper Restriction of Excessive Authentication Attempts •