CVE-2020-8155
https://notcve.org/view.php?id=CVE-2020-8155
An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. Una biblioteca de terceros obsoleta en el visualizador de Archivos PDF para Nextcloud Server versión 18.0.2, causó una vulnerabilidad de tipo Cross-site scripting cuando se abre un PDF malicioso. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://nextcloud.com/security/advisory/?id=NC-SA-2020-019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-8154
https://notcve.org/view.php?id=CVE-2020-8154
An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. Una vulnerabilidad de referencia directa a objeto No Segura en Nextcloud Server versión 18.0.2, permitió a un atacante limpiar de manera remota dispositivos de otros usuarios cuando se envía una petición maliciosa directamente al endpoint. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html https://hackerone.com/reports/819807 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://nextcloud.com/security/advisory/?id=NC-SA-2020 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2020-8139
https://notcve.org/view.php?id=CVE-2020-8139
A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. Una falta de comprobación del control de acceso en Nextcloud Server versiones anteriores a 18.0.1, versiones anteriores a 17.0.4 y versiones anteriores a 16.0.9, causa que los recursos compartidos de descarga oculta sean descargables cuando se agregan y descargan en la URL. • https://hackerone.com/reports/788257 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://nextcloud.com/security/advisory/?id=NC-SA-2020-015 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVE-2020-8138
https://notcve.org/view.php?id=CVE-2020-8138
A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL. Una falta de comprobación de IPv4 anidado dentro de IPv6 en el servidor Nextcloud versiones anteriores a 17.0.1, versiones anteriores a 16.0.7 y versiones anteriores a 15.0.14, permitió una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) cuando se suscribe en una URL de calendario maliciosa. • https://hackerone.com/reports/736867 https://nextcloud.com/security/advisory/?id=NC-SA-2020-014 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2019-15617
https://notcve.org/view.php?id=CVE-2019-15617
A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login. Una falta de comprobación en Nextcloud Server versión 17.0.0, permitió a un atacante configurar un nuevo segundo factor cuando se intenta iniciar sesión. • https://hackerone.com/reports/722748 https://nextcloud.com/security/advisory/?id=NC-SA-2020-006 • CWE-287: Improper Authentication •