Page 21 of 155 results (0.006 seconds)

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1

A logic error in Nextcloud Server 19.0.0 caused a privilege escalation allowing malicious users to reshare with higher permissions than they got assigned themselves. Un error lógico en Nextcloud Server versión 19.0.0, causó una escalada de privilegios permitiendo a usuarios maliciosos volver a compartir con permisos más elevados de los que se les asignaron • https://hackerone.com/reports/889243 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T7FX3O6SJE2S52I2HAA4DSTUIISP5BNA https://nextcloud.com/security/advisory/?id=NC-SA-2020-029 • CWE-269: Improper Privilege Management •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

An outdated 3rd party library in the Files PDF viewer for Nextcloud Server 18.0.2 caused a Cross-site scripting vulnerability when opening a malicious PDF. Una biblioteca de terceros obsoleta en el visualizador de Archivos PDF para Nextcloud Server versión 18.0.2, causó una vulnerabilidad de tipo Cross-site scripting cuando se abre un PDF malicioso. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://nextcloud.com/security/advisory/?id=NC-SA-2020-019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 1

An Insecure direct object reference vulnerability in Nextcloud Server 18.0.2 allowed an attacker to remote wipe devices of other users when sending a malicious request directly to the endpoint. Una vulnerabilidad de referencia directa a objeto No Segura en Nextcloud Server versión 18.0.2, permitió a un atacante limpiar de manera remota dispositivos de otros usuarios cuando se envía una petición maliciosa directamente al endpoint. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00038.html http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00040.html http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00019.html https://hackerone.com/reports/819807 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://nextcloud.com/security/advisory/?id=NC-SA-2020 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

A missing access control check in Nextcloud Server < 18.0.1, < 17.0.4, and < 16.0.9 causes hide-download shares to be downloadable when appending /download to the URL. Una falta de comprobación del control de acceso en Nextcloud Server versiones anteriores a 18.0.1, versiones anteriores a 17.0.4 y versiones anteriores a 16.0.9, causa que los recursos compartidos de descarga oculta sean descargables cuando se agregan y descargan en la URL. • https://hackerone.com/reports/788257 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP https://nextcloud.com/security/advisory/?id=NC-SA-2020-015 • CWE-284: Improper Access Control CWE-862: Missing Authorization •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL. Una falta de comprobación de IPv4 anidado dentro de IPv6 en el servidor Nextcloud versiones anteriores a 17.0.1, versiones anteriores a 16.0.7 y versiones anteriores a 15.0.14, permitió una vulnerabilidad de tipo Server-Side Request Forgery (SSRF) cuando se suscribe en una URL de calendario maliciosa. • https://hackerone.com/reports/736867 https://nextcloud.com/security/advisory/?id=NC-SA-2020-014 • CWE-918: Server-Side Request Forgery (SSRF) •