CVSS: 8.1EPSS: 0%CPEs: 9EXPL: 0CVE-2024-37882 – Nextcloud Server can reshare read&share only folder with more permissions
https://notcve.org/view.php?id=CVE-2024-37882
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4. Nextcloud Server es un sistema de nube personal autohospedado. Un destinatario de un recurso compartido con permisos de lectura y uso compartido podría volver a compartir el elemento con más permisos. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq https://github.com/nextcloud/server/pull/44339 https://hackerone.com/reports/2289425 • CWE-281: Improper Preservation of Permissions CWE-284: Improper Access Control •
CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37317 – Nextcloud Notes app can be tricked into using a received share created before the user logged in
https://notcve.org/view.php?id=CVE-2024-37317
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3. La aplicación Nextcloud Notes es una aplicación para tomar notas sin distracciones para Nextcloud. Si un atacante lograba compartir una carpeta llamada `Notas/` con un usuario recién creado antes de iniciar sesión, la aplicación Notas usaría esa carpeta para almacenar las notas personales. • https://github.com/nextcloud/notes/pull/1260 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx https://hackerone.com/reports/2254151 • CWE-284: Improper Access Control •
CVSS: 4.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37316 – Nextcloud Calendar's event create can create attachments that link to other websites
https://notcve.org/view.php?id=CVE-2024-37316
Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2. Nextcloud Calendar es una aplicación de calendario para Nextcloud. Los usuarios autenticados podrían crear un evento con datos adjuntos manipulados que provoquen una mala redirección para los participantes cuando se haga clic en ellos. • https://github.com/nextcloud/calendar/pull/5966 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf https://hackerone.com/reports/2457588 • CWE-241: Improper Handling of Unexpected Data Type •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37315 – Nextcloud Server's read-only users can restore old versions
https://notcve.org/view.php?id=CVE-2024-37315
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un atacante con acceso de solo lectura a un archivo puede restaurar versiones anteriores de un documento cuando la aplicación files_versions está habilitada. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/1356508 • CWE-284: Improper Access Control •
CVSS: 3.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37314 – Nextcloud Photos' shared albums have no restriction on photo removal
https://notcve.org/view.php?id=CVE-2024-37314
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2. Nextcloud Photos es una aplicación de gestión de fotografías. Los usuarios pueden eliminar fotos del álbum de usuarios registrados. • https://github.com/nextcloud/photos/pull/1749 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9chh-5prm-wp43 https://hackerone.com/reports/1946298 • CWE-284: Improper Access Control •