CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22404 – Permissions bypass in Nextcloud with the files zip app
https://notcve.org/view.php?id=CVE-2024-22404
Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app. La aplicación Nextcloud files Zip es una herramienta para crear archivos zip a partir de uno o varios archivos desde Nextcloud. • https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq https://hackerone.com/reports/2247457 • CWE-281: Improper Preservation of Permissions •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22403 – OAuth2 authorization codes are valid indefinetly in Nextcloud server
https://notcve.org/view.php?id=CVE-2024-22403
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36 https://github.com/nextcloud/server/pull/40766 https://hackerone.com/reports/1784162 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX • CWE-613: Insufficient Session Expiration •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22400 – Open redirect in user_saml via RelayState parameter in Nextcloud User Saml
https://notcve.org/view.php?id=CVE-2024-22400
Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no known workarounds for this issue. Nextcloud User Saml es una aplicación para autenticar a los usuarios de Nextcloud mediante SAML. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-622q-xhfr-xmv7 https://github.com/nextcloud/user_saml/commit/b184304a476deeba36e92b70562d5de7c2f85f8a https://github.com/nextcloud/user_saml/pull/788 https://hackerone.com/reports/2263044 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 2CVE-2024-22213 – Cross-site Scripting when sending HTML as a comment in the Nextcloud Deck app
https://notcve.org/view.php?id=CVE-2024-22213
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. There are no known workarounds for this vulnerability. Deck es una herramienta de organización estilo kanban destinada a la planificación personal y organización de proyectos para equipos integrada con Nextcloud. • https://github.com/nextcloud/deck/commit/91f1557362047f8840f53151f176b80148650bcd https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mg7w-x9fm-9wwc https://hackerone.com/reports/2058556 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-22212 – Nextcloud global site selector authentication bypass
https://notcve.org/view.php?id=CVE-2024-22212
Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue. Nextcloud Global Site Selector es una herramienta que le permite ejecutar múltiples instancias pequeñas de Nextcloud y redirigir a los usuarios al servidor correcto. • https://github.com/nextcloud/globalsiteselector/commit/ab5da57190d5bbc79079ce4109b6bcccccd893ee https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vj5q-f63m-wp77 https://hackerone.com/reports/2248689 • CWE-306: Missing Authentication for Critical Function •