CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-24888 – Possible Injection in Nextcloud Server
https://notcve.org/view.php?id=CVE-2022-24888
27 Apr 2022 — Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1, it is possible to create files and folders that have leading and trailing \n, \r, \t, and \v characters. The server rejects files and folders that have these characters in the middle of their names, so this might be an opportunity for injection. This issue is fixed in versions 20.0.14.4, 21.0.8, 22.2.4, and 23.0.1. There are currently no known workarounds.... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w3h6-p64h-q9jp • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24886 – Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client
https://notcve.org/view.php?id=CVE-2022-24886
27 Apr 2022 — Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds. La aplicación Android de Nextcloud es el cliente Android para Nextcloud, una plataforma de productividad autoalojada. • https://github.com/nextcloud/android/pull/9726 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 2.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24885 – Improper Authentication in Nextcloud Android Files
https://notcve.org/view.php?id=CVE-2022-24885
27 Apr 2022 — Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.1, users can bypass a lock on the Nextcloud app on an Android device by repeatedly reopening the app. Version 3.19.1 contains a fix for the problem. There are currently no known workarounds. La aplicación Android de Nextcloud es el cliente Android para Nextcloud, una plataforma de productividad autoalojada. • https://github.com/nextcloud/android/pull/9816 • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41233 – Missing authorization in Nextcloud text
https://notcve.org/view.php?id=CVE-2021-41233
10 Mar 2022 — Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the ... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-26c8-35cm-xq9m • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24741 – High memory usage in Nextcloud server
https://notcve.org/view.php?id=CVE-2022-24741
09 Mar 2022 — Nextcloud server is an open source, self hosted cloud style services platform. In affected versions an attacker can cause a denial of service by uploading specially crafted files which will cause the server to allocate too much memory / CPU. It is recommended that the Nextcloud Server is upgraded to 21.0.8 , 22.2.4 or 23.0.1. Users unable to upgrade should disable preview generation with the `'enable_previews'` config flag. El servidor Nextcloud es una plataforma de servicios de código abierto, de estilo de... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf3h-xf4q-mh89 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41241 – Advanced permissions is not respected for subfolders in Nextcloud server
https://notcve.org/view.php?id=CVE-2021-41241
08 Mar 2022 — Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nex... • https://github.com/nextcloud/groupfolders/issues/1692 • CWE-862: Missing Authorization CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41239 – User enumeration setting not respected in Nextcloud server
https://notcve.org/view.php?id=CVE-2021-41239
08 Mar 2022 — Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41166 – Permission bypass in Nextcloud Android App
https://notcve.org/view.php?id=CVE-2021-41166
26 Jan 2022 — The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds. • https://github.com/nextcloud/android/commit/aa47197109970b8449c4e44601eba36e3481b086 • CWE-276: Incorrect Default Permissions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-43863 – SQL Injection in FileContentProvider (GHSL-2021-1007)
https://notcve.org/view.php?id=CVE-2021-43863
25 Jan 2022 — The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 ... • https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41177 – Rate-limits not working on instances without configured memory cache backend
https://notcve.org/view.php?id=CVE-2021-41177
25 Oct 2021 — Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcl... • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fj39-4qx4-m3f2 • CWE-799: Improper Control of Interaction Frequency •