Page 6 of 42 results (0.005 seconds)

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w https://github.com/nextcloud/server/pull/35057 https://hackerone.com/reports/1894653 • CWE-307: Improper Restriction of Excessive Authentication Attempts •

CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0

Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade. • https://github.com/nextcloud/files_automatedtagging/pull/705 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3m2f-v8x7-9w99 https://github.com/nextcloud/server/pull/37252 https://hackerone.com/reports/1895976 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 2

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks in the future if the information is known. Nextcloud Server 24.0.6 and 25.0.4 and Nextcloud Enterprise Server 23.0.11, 24.0.6, and 25.0.4 contain patches for this issue. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5w64-6c42-rgcv https://github.com/nextcloud/server/issues/33883 https://github.com/nextcloud/server/pull/36094 https://hackerone.com/reports/1690510 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w47p-f66h-h2vj https://github.com/nextcloud/server/pull/36113 • CWE-284: Improper Access Control •

CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9 https://github.com/nextcloud/server/pull/36093 • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) •