CVE-2023-32320 – Nextcloud Server's brute force protection allows someone to send more requests than intended
https://notcve.org/view.php?id=CVE-2023-32320
Nextcloud Server is a data storage system for Nextcloud, a self-hosted productivity platform. When multiple requests are sent in parallel, all of them were executed even if the amount of faulty requests succeeded the limit by the time the response was sent to the client. This allowed someone to send as many requests the server could handle in parallel to bruteforce protected details instead of the configured limit, default 8. Nextcloud Server versions 25.0.7 and 26.0.2 and Nextcloud Enterprise Server versions 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 and 26.0.2 contain patches for this issue. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qphh-6xh7-vffg https://github.com/nextcloud/server/pull/38274 https://hackerone.com/reports/1918525 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-33184 – Blind SSRF in the Nextcloud Mail app on avatar endpoint
https://notcve.org/view.php?id=CVE-2023-33184
Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3. • https://github.com/nextcloud/mail/pull/8275 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8gph-9895-w564 https://hackerone.com/reports/1913095 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2023-32319 – Basic auth header on WebDAV requests is not brute-force protected in Nextcloud
https://notcve.org/view.php?id=CVE-2023-32319
Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54 https://github.com/nextcloud/server/pull/37227 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-32318 – User session not correctly destroyed on logout
https://notcve.org/view.php?id=CVE-2023-32318
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38 https://github.com/nextcloud/text/pull/3946 • CWE-613: Insufficient Session Expiration •
CVE-2023-28847 – Nextcloud Server missing brute force protection for passwords of password protected share links
https://notcve.org/view.php?id=CVE-2023-28847
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w https://github.com/nextcloud/server/pull/35057 https://hackerone.com/reports/1894653 • CWE-307: Improper Restriction of Excessive Authentication Attempts •