AVG-2144 log

Package nextcloud
Status Fixed
Severity High
Type multiple issues
Affected 21.0.2-1
Fixed 21.0.3-1
Current 28.0.3-1 [extra]
Ticket None
Created Tue Jul 13 10:25:17 2021
Issue Severity Remote Type Description
CVE-2021-32741 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to...
CVE-2021-32734 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user....
CVE-2021-32733 Low Yes Cross-site scripting
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server...
CVE-2021-32726 High Yes Authentication bypass
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username,...
CVE-2021-32725 Low Yes Access restriction bypass
In Nextcloud Server versions prior to 21.0.3, default share permissions were not being respected for federated reshares of files and folders.
CVE-2021-32705 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate...
CVE-2021-32703 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate...
CVE-2021-32688 High Yes Privilege escalation
Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g....
CVE-2021-32680 Low Yes Incorrect calculation
In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share...
CVE-2021-32679 Low Yes Content spoofing
In Nextcloud Server versions prior to 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename...
CVE-2021-32678 Low Yes Insufficient validation
In Nextcloud Server versions prior to 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using...
Date Advisory Package Type
14 Jul 2021 ASA-202107-22 nextcloud multiple issues