CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37316 – Nextcloud Calendar's event create can create attachments that link to other websites
https://notcve.org/view.php?id=CVE-2024-37316
14 Jun 2024 — Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2. Nextcloud Calendar es una aplicación de calendario para Nextcloud. Los usuarios autenticados podrían crear un evento con datos adjuntos manipulados que provoquen una mala redirección para los participantes cuando se haga clic en ellos. • https://github.com/nextcloud/calendar/pull/5966 • CWE-241: Improper Handling of Unexpected Data Type •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37315 – Nextcloud Server's read-only users can restore old versions
https://notcve.org/view.php?id=CVE-2024-37315
14 Jun 2024 — Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un atacante con acceso de solo lectura a un archivo puede... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 • CWE-284: Improper Access Control •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37314 – Nextcloud Photos' shared albums have no restriction on photo removal
https://notcve.org/view.php?id=CVE-2024-37314
14 Jun 2024 — Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2. Nextcloud Photos es una aplicación de gestión de fotografías. Los usuarios pueden eliminar fotos del álbum de usuarios registrados. • https://github.com/nextcloud/photos/pull/1749 • CWE-284: Improper Access Control •
CVSS: 7.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-37313 – Nextcloud server allows the by-pass the second factor
https://notcve.org/view.php?id=CVE-2024-37313
14 Jun 2024 — Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4. El servidor Nextcloud es un sistema de nube personal autohospedado. En algunas circunstancias, fue posible omiti... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c • CWE-287: Improper Authentication •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37312 – Nextcloud user_oidc app's ID4me feature is available even when disabled
https://notcve.org/view.php?id=CVE-2024-37312
14 Jun 2024 — user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28). La aplicación user_oidc es un backend de usuario de OpenID Connect para Nextcloud. La falta de control de acceso en el terminal ID4me permite ... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vw7g-959g-vj6q • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-30247 – Command Injection as root in NextCloudPi web panel
https://notcve.org/view.php?id=CVE-2024-30247
29 Mar 2024 — NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1. NextcloudPi es una imagen lista para usar para Máquinas Virtuales, Raspberry Pi, Odroid ... • https://github.com/nextcloud/nextcloudpi/security/advisories/GHSA-m597-72v7-j982 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22402 – Improper handling of request URLs in Nextcloud Guests app allows guest users to bypass app allowlist
https://notcve.org/view.php?id=CVE-2024-22402
18 Jan 2024 — Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users were able to load the first page of apps they were actually not allowed to access. Depending on the selection of apps installed this may present a permissions bypass. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability. • https://github.com/nextcloud/guests/pull/1082 • CWE-281: Improper Preservation of Permissions •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-22401 – All users can reset the allowed apps list for Nextcloud Guest App users
https://notcve.org/view.php?id=CVE-2024-22401
18 Jan 2024 — Nextcloud guests app is a utility to create guest users which can only see files shared with them. In affected versions users could change the allowed list of apps, allowing them to use apps that were not intended to be used. It is recommended that the Guests app is upgraded to 2.4.1, 2.5.1 or 3.0.1. There are no known workarounds for this vulnerability. La aplicación para invitados Nextcloud es una utilidad para crear usuarios invitados que solo pueden ver los archivos compartidos con ellos. • https://github.com/nextcloud/guests/pull/1082 • CWE-281: Improper Preservation of Permissions •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-22404 – Permissions bypass in Nextcloud with the files zip app
https://notcve.org/view.php?id=CVE-2024-22404
18 Jan 2024 — Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app. La aplicación Nextcloud files Zip es una herramienta para crear archivos zip a partir de uno o varios archivos desde Nextcloud. • https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820 • CWE-281: Improper Preservation of Permissions •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22403 – OAuth2 authorization codes are valid indefinetly in Nextcloud server
https://notcve.org/view.php?id=CVE-2024-22403
18 Jan 2024 — Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36 • CWE-613: Insufficient Session Expiration •