CVE-2024-52514 – Nextcloud Server allows users to copy folder that contain files that are blocked by the files access control
https://notcve.org/view.php?id=CVE-2024-52514
Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g8pr-g25r-58xj https://github.com/nextcloud/server/commit/5fffbcfe8650eab75b00e8d188fbc95b0e43f3a8 https://github.com/nextcloud/server/pull/44889 https://hackerone.com/reports/2447316 • CWE-284: Improper Access Control •
CVE-2024-52515 – Nextcloud Server has incomplete sanitization of SVG files allows to embed other images into previews
https://notcve.org/view.php?id=CVE-2024-52515
Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hw8c-2236 https://github.com/nextcloud/server/commit/7e1c30f82a63fbea8c269e0eec38291377f32604 https://github.com/nextcloud/server/pull/45340 https://hackerone.com/reports/2484499 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVE-2024-37887 – Nextcloud Server's events information leaked with shared calendars on recurrence exceptions
https://notcve.org/view.php?id=CVE-2024-37887
Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1. Nextcloud Server es un sistema de nube personal autohospedado. Los participantes pueden leer las excepciones de recurrencia de los eventos privados del calendario compartido. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595 https://github.com/nextcloud/server/pull/45309 https://hackerone.com/reports/2479325 • CWE-284: Improper Access Control •
CVE-2024-37884 – Nextcloud Server's users can delete old versions of read-only shared files
https://notcve.org/view.php?id=CVE-2024-37884
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un usuario malintencionado pudo enviar solicitudes de eliminación de versiones antiguas de archivos que solo compartieron con permisos de lectura. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/2290680 • CWE-284: Improper Access Control •
CVE-2024-37315 – Nextcloud Server's read-only users can restore old versions
https://notcve.org/view.php?id=CVE-2024-37315
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. Nextcloud Server es un sistema de nube personal autohospedado. Un atacante con acceso de solo lectura a un archivo puede restaurar versiones anteriores de un documento cuando la aplicación files_versions está habilitada. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/1356508 • CWE-284: Improper Access Control •