CVE-2023-39960 – Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint
https://notcve.org/view.php?id=CVE-2023-39960
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available. Nextcloud Server proporciona almacenamiento de datos para Nextcloud, una plataforma en la nube de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 https://github.com/nextcloud/server/pull/38046 https://hackerone.com/reports/1924212 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-39963 – Missing password confirmation when creating app passwords
https://notcve.org/view.php?id=CVE-2023-39963
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5 https://github.com/nextcloud/server/pull/39416 https://hackerone.com/reports/2067572 • CWE-284: Improper Access Control •
CVE-2023-39962 – Users can delete external storage mount points
https://notcve.org/view.php?id=CVE-2023-39962
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm https://github.com/nextcloud/server/pull/39323 https://hackerone.com/reports/2047168 • CWE-284: Improper Access Control •
CVE-2023-39958 – Missing brute force protection on password reset token OAuth2 API controller
https://notcve.org/view.php?id=CVE-2023-39958
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h https://github.com/nextcloud/server/pull/38773 https://hackerone.com/reports/1258448 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-39952 – Advanced permissions not respected when copying entire group folders
https://notcve.org/view.php?id=CVE-2023-39952
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/groupfolders/issues/1906 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-cq8w-v4fh-4rjq https://github.com/nextcloud/server/pull/38890 https://hackerone.com/reports/1808079 • CWE-284: Improper Access Control •