CVSS: 9.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-49792 – Bruteforce protection can be bypassed with misconfigured proxy
https://notcve.org/view.php?id=CVE-2023-49792
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when a (reverse) proxy is configured as trusted proxy the server could be tricked into reading a wrong remote address for an attacker, allowing them executing authentication attempts than intended. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available. Nextcloud Server proporciona almacenamiento de datos para Nextcloud, una plataforma en la nube de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5j2p-q736-hw98 https://github.com/nextcloud/server/pull/41526 https://hackerone.com/reports/2230915 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2023-49791 – Workflows do not require password confirmation on API level
https://notcve.org/view.php?id=CVE-2023-49791
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server prior to versions 26.0.9 and 27.1.4; as well as Nextcloud Enterprise Server prior to versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4; when an attacker manages to get access to an active session of another user via another way, they could delete and modify workflows by sending calls directly to the API bypassing the password confirmation shown in the UI. Nextcloud Server versions 26.0.9 and 27.1.4 and Nextcloud Enterprise Server versions 23.0.12.13, 24.0.12.9, 25.0.13.4, 26.0.9, and 27.1.4 contain a patch for this issue. No known workarounds are available. Nextcloud Server proporciona almacenamiento de datos para Nextcloud, una plataforma en la nube de código abierto. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3f8p-6qww-2prr https://github.com/nextcloud/server/pull/41520 https://hackerone.com/reports/2120667 • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49790 – App PIN code can be bypassed in Nextcloud Files iOS
https://notcve.org/view.php?id=CVE-2023-49790
The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. Prior to version 4.9.2, the application can be used without providing the 4 digit PIN code. Nextcloud iOS Files app should be upgraded to 4.9.2 to receive the patch. No known workarounds are available. La aplicación Nextcloud iOS Files permite a los usuarios de iOS interactuar con Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/ios/pull/2665 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j8g7-88vv-rggv https://hackerone.com/reports/2245437 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48308 – Calendar app returns full stacktrace when an error happens while editing appointment
https://notcve.org/view.php?id=CVE-2023-48308
Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain access to stacktrace and internal paths of the server when generating an exception while editing a calendar appointment. It is recommended that the Nextcloud Calendar app is upgraded to 4.5.3 Nextcloud/Cloud es una aplicación de calendario para Nextcloud. Un atacante puede obtener acceso al seguimiento de pila y a las rutas internas del servidor al generar una excepción al editar una cita del calendario. Se recomienda actualizar la aplicación Calendario Nextcloud a 4.5.3 • https://github.com/nextcloud/calendar/pull/5553 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fv3c-qvjr-5rv8 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48307 – Nextcloud Mail app vulnerable to Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2023-48307
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Starting in version 1.13.0 and prior to version 2.2.8 and 3.3.0, an attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. Nextcloud Mail app versions 2.2.8 and 3.3.0 contain a patch for this issue. As a workaround, disable the mail app. Nextcloud Mail es la aplicación de correo de Nextcloud, una plataforma de productividad autohospedada. • https://github.com/nextcloud/mail/pull/8709 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4pp4-m8ph-2999 https://hackerone.com/reports/1869714 • CWE-918: Server-Side Request Forgery (SSRF) •