Page 5 of 43 results (0.008 seconds)

CVSS: 8.8EPSS: 0%CPEs: 10EXPL: 0

Nextcloud Server is a space for data storage on Nextcloud, a self-hosted productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until 19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, a user could use this functionality to get access to the login credentials of another user and take over their account. This issue has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2. Three workarounds are available. Disable app files_external. Change config setting "Allow users to mount external storage" to disabled in "Administration" > "External storage" settings `…/index.php/settings/admin/externalstorages`. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h https://github.com/nextcloud/server/pull/38265 https://hackerone.com/reports/1978882 • CWE-274: Improper Handling of Insufficient Privileges •

CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 0

NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, when two server are registered as trusted servers for each other and successfully exchanged the share secrets, the malicious server could modify or delete VCards in the system addressbook on the origin server. This would impact the available and shown information in certain places, such as the user search and avatar menu. If a manipulated user modifies their own data in the personal settings the entry is fixed again. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. A workaround is available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87 https://github.com/nextcloud/server/pull/38247 https://hackerone.com/reports/1976754 • CWE-284: Improper Access Control •

CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 0

NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 https://github.com/nextcloud/server/pull/38267 https://hackerone.com/reports/1987062 • CWE-307: Improper Restriction of Excessive Authentication Attempts •

CVSS: 8.7EPSS: 0%CPEs: 8EXPL: 0

Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg https://github.com/nextcloud/server/pull/38274 https://hackerone.com/reports/1918525 • CWE-307: Improper Restriction of Excessive Authentication Attempts •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54 https://github.com/nextcloud/server/pull/37227 • CWE-307: Improper Restriction of Excessive Authentication Attempts •