CVSS: 9.0EPSS: 0%CPEs: 10EXPL: 0CVE-2023-35928 – Nextcloud user scoped external storage can be used to gather credentials of other users
https://notcve.org/view.php?id=CVE-2023-35928
23 Jun 2023 — Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h • CWE-274: Improper Handling of Insufficient Privileges •
CVSS: 8.5EPSS: 0%CPEs: 10EXPL: 0CVE-2023-35927 – Nextcloud system addressbooks can be modified by malicious trusted server
https://notcve.org/view.php?id=CVE-2023-35927
23 Jun 2023 — NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, when two server are registered as trusted servers for each other and successfully exchanged the share secrets, the malicious server c... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87 • CWE-284: Improper Access Control •
CVSS: 9.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-35172 – Nextcloud Server password reset endpoint is not brute force protected
https://notcve.org/view.php?id=CVE-2023-35172
23 Jun 2023 — NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, ... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 2CVE-2023-35171 – Nextcloud Server vulnerable to open redirect on "Unsupported browser" warning
https://notcve.org/view.php?id=CVE-2023-35171
23 Jun 2023 — NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. Starting in version 26.0.0 and prior to version 26.0.2, an attacker could supply a URL that redirects an unsuspecting victim from a legitimate domain to an attacker's site. Nextcloud Server and Nextcloud Enterprise Server 26.0.2 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h353-vvwv-j2r4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.7EPSS: 0%CPEs: 8EXPL: 0CVE-2023-32320 – Nextcloud Server's brute force protection allows someone to send more requests than intended
https://notcve.org/view.php?id=CVE-2023-32320
22 Jun 2023 — Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versio... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-32319 – Basic auth header on WebDAV requests is not brute-force protected in Nextcloud
https://notcve.org/view.php?id=CVE-2023-32319
26 May 2023 — Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2023-32318 – User session not correctly destroyed on logout
https://notcve.org/view.php?id=CVE-2023-32318
26 May 2023 — Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38 • CWE-613: Insufficient Session Expiration •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2023-28847 – Nextcloud Server missing brute force protection for passwords of password protected share links
https://notcve.org/view.php?id=CVE-2023-28847
25 Apr 2023 — Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contai... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.0EPSS: 0%CPEs: 13EXPL: 0CVE-2023-30539 – Users can set up workflows using restricted and invisible system tags in Nextcloud
https://notcve.org/view.php?id=CVE-2023-30539
17 Apr 2023 — Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or... • https://github.com/nextcloud/files_automatedtagging/pull/705 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2CVE-2023-28834 – Full path of data directory exposed to Nextcloud server users
https://notcve.org/view.php?id=CVE-2023-28834
03 Apr 2023 — Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks i... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5w64-6c42-rgcv • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •