CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 1CVE-2023-48239 – Nextcloud Server users can make external storage mount points inaccessible for other users
https://notcve.org/view.php?id=CVE-2023-48239
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, an... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2023-45148 – Rate limiter not working reliable when Memcached is installed in Nextcloud
https://notcve.org/view.php?id=CVE-2023-45148
16 Oct 2023 — Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached. Nextcloud es un servidor en la nube doméstico de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xmhp-7vr4-hp63 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-45151 – OAuth2 client_secret stored in plain text in the Nextcloud database
https://notcve.org/view.php?id=CVE-2023-45151
16 Oct 2023 — Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability. El servidor Nextcloud es una plataforma de nube doméstica de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-39960 – Nextcloud Server has improper restriction of excessive authentication attempts on WebDAV endpoint
https://notcve.org/view.php?id=CVE-2023-39960
13 Oct 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this is... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.1EPSS: 0%CPEs: 11EXPL: 0CVE-2023-39963 – Missing password confirmation when creating app passwords
https://notcve.org/view.php?id=CVE-2023-39963
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9,... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5 • CWE-284: Improper Access Control •
CVSS: 7.7EPSS: 0%CPEs: 12EXPL: 0CVE-2023-39962 – Users can delete external storage mount points
https://notcve.org/view.php?id=CVE-2023-39962
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.1... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm • CWE-284: Improper Access Control •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-39961 – Text does not respect "Allow download" permissions
https://notcve.org/view.php?id=CVE-2023-39961
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qhgm-w4gx-gvgp • CWE-284: Improper Access Control •
CVSS: 5.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-39959 – Existence of calendars and address books can be checked by unauthenticated users
https://notcve.org/view.php?id=CVE-2023-39959
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj • CWE-284: Improper Access Control •
CVSS: 5.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-39958 – Missing brute force protection on password reset token OAuth2 API controller
https://notcve.org/view.php?id=CVE-2023-39958
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are av... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vv27-g2hq-v48h • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-39952 – Advanced permissions not respected when copying entire group folders
https://notcve.org/view.php?id=CVE-2023-39952
10 Aug 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch... • https://github.com/nextcloud/groupfolders/issues/1906 • CWE-284: Improper Access Control •