CVE-2022-39346 – Missing length validation of user displayname in nextcloud server
https://notcve.org/view.php?id=CVE-2022-39346
Nextcloud server is an open source personal cloud server. Affected versions of nextcloud server did not properly limit user display names which could allow a malicious users to overload the backing database and cause a denial of service. It is recommended that the Nextcloud Server is upgraded to 22.2.10, 23.0.7 or 24.0.3. There are no known workarounds for this issue. El servidor Nextcloud es un servidor en la nube personal de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6 https://github.com/nextcloud/server/pull/33052 https://hackerone.com/reports/1588562 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42TARDPRPBTI5TJRBYRVVQGTL6KWRCV5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R32L3P53AQKQQC652LA5U3AWFTZKPDK3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRAER4DCCHHSUDFHQ6LTIH4JEJFF73IU • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVE-2022-39329 – Profile of disabled user stays accessible
https://notcve.org/view.php?id=CVE-2022-39329
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 23.0.9 and 24.0.5 are vulnerable to exposure of information that cannot be controlled by administrators without direct database access. Versions 23.0.9 and 24.0.5 contains patches for this issue. No known workarounds are available. Nextcloud Server es el software de servidor de archivos para Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f3p-rcm5-mrg3 https://github.com/nextcloud/server/pull/33643 https://hackerone.com/reports/1675014 • CWE-284: Improper Access Control CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVE-2022-39330 – Database resource exhaustion for logged-in users via sharee recommendations with circles
https://notcve.org/view.php?id=CVE-2022-39330
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server prior to versions 22.2.10, 23.0.10, and 24.0.6 are vulnerable to a logged-in attacker slowing down the system by generating a lot of database/cpu load. Nextcloud Server versions 23.0.10 and 24.0.6 and Nextcloud Enterprise Server versions 22.2.10, 23.0.10, and 24.0.6 contain patches for this issue. As a workaround, disable the Circles app. Nextcloud Server es el software de servidor de archivos para Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/circles/pull/1147 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wxx7-w5p4-7x4c https://hackerone.com/reports/1688199 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-39364 – Exception logging in Sharepoint app reveals clear-text connection details
https://notcve.org/view.php?id=CVE-2022-39364
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server prior to versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server prior to versions 22.2.10.5, 23.0.9, and 24.0.5 an attacker reading `nextcloud.log` may gain knowledge of credentials to connect to a SharePoint service. Nextcloud Server versions 23.0.9 and 24.0.5 and Nextcloud Enterprise Server versions 22.2.10.5, 23.0.9, and 24.0.5 contain a patch for this issue. As a workaround, set `zend.exception_ignore_args = On` as an option in `php.ini`. Nextcloud Server es el software de servidor de archivos para Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpf5-jj85-36h5 https://github.com/nextcloud/server/pull/33689 https://github.com/nextcloud/sharepoint/issues/141 https://hackerone.com/reports/1652903 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2022-39210 – Access to internal files of the Nextcloud Android app
https://notcve.org/view.php?id=CVE-2022-39210
Nextcloud android is the official Android client for the Nextcloud home server platform. Internal paths to the Nextcloud Android app files are not properly protected. As a result access to internal files of the from within the Nextcloud Android app is possible. This may lead to a leak of sensitive information in some cases. It is recommended that the Nextcloud Android app is upgraded to 3.21.0. • https://github.com/nextcloud/android/pull/10544 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw2w-gpcv-v39f • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •