CVSS: 6.7EPSS: 0%CPEs: 2EXPL: 2CVE-2020-8296
https://notcve.org/view.php?id=CVE-2020-8296
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. Nextcloud Server versiones anteriores a 20.0.0, almacena las contraseñas en un formato recuperable inclusive cuando el almacenamiento externo no está configurado • https://github.com/nextcloud/server/issues/17439 https://github.com/nextcloud/server/pull/21037 https://hackerone.com/reports/867164 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S https://nextcloud.com/security/advisory/?id=NC-SA-2021-006 • CWE-257: Storing Passwords in a Recoverable Format CWE-521: Weak Password Requirements •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-22878
https://notcve.org/view.php?id=CVE-2021-22878
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. Nextcloud Server versiones anteriores a 20.0.6, es vulnerable a un ataque de tipo cross-site scripting (XSS) reflejado debido a una falta de saneamiento en "OC.Notification.show" • https://github.com/nextcloud/server/pull/25234 https://hackerone.com/reports/896522 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S https://nextcloud.com/security/advisory/?id=NC-SA-2021-005 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-22877
https://notcve.org/view.php?id=CVE-2021-22877
A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. Una falta de comprobación de usuario en Nextcloud versiones anteriores a 20.0.6, inadvertidamente llena las propias credenciales del usuario para la configuración del almacenamiento externo de otros usuarios cuando aún no están configuradas • https://github.com/nextcloud/server/issues/24600 https://github.com/nextcloud/server/pull/25224 https://hackerone.com/reports/1061591 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S https://nextcloud.com/security/advisory/?id=NC-SA-2021-004 • CWE-284: Improper Access Control CWE-862: Missing Authorization •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 0CVE-2020-8294
https://notcve.org/view.php?id=CVE-2020-8294
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. Una falta comprobación de enlace en Nextcloud Server versiones anteriores a 20.0.2, 19.0.5, 18.0.11, permite una ejecución de un ataque de tipo XSS almacenado usando Internet Explorer cuando se guarda una URL "javascript:" en formato markdown • https://hackerone.com/reports/1023787 https://nextcloud.com/security/advisory/?id=NC-SA-2021-002 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8295
https://notcve.org/view.php?id=CVE-2020-8295
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. Una comprobación equivocada en Nextcloud Server versiones 19 y anteriores, permitió llevar a cabo un ataque de denegación de servicio al restablecer la contraseña de un usuario • https://hackerone.com/reports/812754 https://nextcloud.com/security/advisory/?id=NC-SA-2021-003 • CWE-400: Uncontrolled Resource Consumption •