CVSS: 4.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49790 – App PIN code can be bypassed in Nextcloud Files iOS
https://notcve.org/view.php?id=CVE-2023-49790
22 Dec 2023 — The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available. La aplicación Nextcloud iOS Files permite a los usuarios de iOS interactuar con Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/ios/pull/2665 • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48308 – Calendar app returns full stacktrace when an error happens while editing appointment
https://notcve.org/view.php?id=CVE-2023-48308
21 Dec 2023 — Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain access to stacktrace and internal paths of the server when generating an exception while editing a calendar appointment. It is recommended that the Nextcloud Calendar app is upgraded to 4.5.3 Nextcloud/Cloud es una aplicación de calendario para Nextcloud. Un atacante puede obtener acceso al seguimiento de pila y a las rutas internas del servidor al generar una excepción al editar una cita del calendario. Se recomienda actualizar la aplica... • https://github.com/nextcloud/calendar/pull/5553 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48307 – Nextcloud Mail app vulnerable to Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2023-48307
21 Nov 2023 — Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app. Nextcloud Mail es la aplicación de correo de Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/mail/pull/8709 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 9EXPL: 1CVE-2023-48306 – Nextcloud Server DNS pin middleware can be tricked into DNS rebinding allowing SSRF
https://notcve.org/view.php?id=CVE-2023-48306
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, the DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise S... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8f69-f9jg-4x3v • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 4.4EPSS: 0%CPEs: 6EXPL: 2CVE-2023-48305 – Nextcloud Server user_ldap app logs user passwords in the log file on level debug
https://notcve.org/view.php?id=CVE-2023-48305
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a p... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 1CVE-2023-48304 – Nextcloud Server vulnerable to attacker enabling/disabling birthday calendar for any user
https://notcve.org/view.php?id=CVE-2023-48304
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and starting in version 22.0.0 and prior to versions 22.2.10.16, 23.0.12.11, 24.0.12.7, 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Enterprise Server, an attacker could enable and disable the birthday calendar for any user on the same server. Nextcloud Server 25.0.11, 26.0.6, and 27.1.0 and Nextcloud Enterprise Server 22.2.10.16, 2... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8jwv-c8c8-9fr3 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 3.3EPSS: 0%CPEs: 6EXPL: 0CVE-2023-48303 – Nextcloud Server admins can change authentication details of user configured external storage
https://notcve.org/view.php?id=CVE-2023-48303
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, admins can change authentication details of user configured external storage. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a patch for this issue. No known workarounds are available. Nextcloud Server proporciona almacenamiento de datos para Nextclo... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2448-44rp-c7hh • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-48302 – Nextcloud Server vulnerable to Self XSS when pasting HTML into Text app with Ctrl+Shift+V
https://notcve.org/view.php?id=CVE-2023-48302
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, when a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.13, 26.0.8, and 27.1.3 contain a fix for this issue. As a workaround, disable app text. Nextcloud Server proporciona alm... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p7g9-x25m-4h87 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 1CVE-2023-48301 – Nextcloud Server HTML injection in search UI when selecting a circle with HTML in the display name
https://notcve.org/view.php?id=CVE-2023-48301
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and Nextcloud Enterprise Server, an attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.13, 26.0.8, and 27.1.3 contain a fix for this issue. As a workaround, disable app circles. Nextcloud Server propor... • https://github.com/nextcloud/circles/pull/1415 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 11EXPL: 1CVE-2023-48239 – Nextcloud Server users can make external storage mount points inaccessible for other users
https://notcve.org/view.php?id=CVE-2023-48239
21 Nov 2023 — Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Server and starting in version 20.0.0 and prior to versions 20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8, and 27.1.3 of Nextcloud Enterprise Server, a malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud Server 25.0.13, 26.0.8, an... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f962-hw26-g267 • CWE-284: Improper Access Control •