CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41179 – Two-Factor Authentication not enforced for pages marked as public
https://notcve.org/view.php?id=CVE-2021-41179
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7hvh-rc6f-px23 https://github.com/nextcloud/server/pull/28725 https://hackerone.com/reports/1322865 • CWE-304: Missing Critical Step in Authentication •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41178 – File Traversal affecting SVG files on Nextcloud Server
https://notcve.org/view.php?id=CVE-2021-41178
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf https://github.com/nextcloud/server/pull/28726 https://hackerone.com/reports/1302155 https://security.gentoo.org/glsa/202208-17 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-23: Relative Path Traversal CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41177 – Rate-limits not working on instances without configured memory cache backend
https://notcve.org/view.php?id=CVE-2021-41177
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fj39-4qx4-m3f2 https://github.com/nextcloud/server/pull/28728 https://hackerone.com/reports/1265709 https://security.gentoo.org/glsa/202208-17 • CWE-799: Improper Control of Interaction Frequency •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32802 – Preview generation used third-party library not suited for user-generated content in Nextcloud server
https://notcve.org/view.php?id=CVE-2021-32802
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. • https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previews https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7 https://hackerone.com/reports/1261413 https://security.gentoo.org/glsa/202208-17 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32801 – Exceptions may have logged Encryption-at-Rest key content in Nextcloud server
https://notcve.org/view.php?id=CVE-2021-32801
Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug. El servidor Nextcloud es una nube personal de código abierto y autoalojada. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h https://github.com/nextcloud/server/pull/28082 https://hackerone.com/reports/1251776 https://security.gentoo.org/glsa/202208-17 • CWE-532: Insertion of Sensitive Information into Log File •