| CVE-2021-32741 |
AVG-2144 |
Low |
Yes |
Information disclosure |
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to... |
| CVE-2021-32734 |
AVG-2144 |
Low |
Yes |
Information disclosure |
In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user.... |
| CVE-2021-32733 |
AVG-2144 |
Low |
Yes |
Cross-site scripting |
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server... |
| CVE-2021-32726 |
AVG-2144 |
High |
Yes |
Authentication bypass |
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username,... |
| CVE-2021-32725 |
AVG-2144 |
Low |
Yes |
Access restriction bypass |
In Nextcloud Server versions prior to 21.0.3, default share permissions were not being respected for federated reshares of files and folders. |
| CVE-2021-32705 |
AVG-2144 |
Low |
Yes |
Information disclosure |
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate... |
| CVE-2021-32703 |
AVG-2144 |
Low |
Yes |
Information disclosure |
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate... |
| CVE-2021-32688 |
AVG-2144 |
High |
Yes |
Privilege escalation |
Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g.... |
| CVE-2021-32680 |
AVG-2144 |
Low |
Yes |
Incorrect calculation |
In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share... |
| CVE-2021-32679 |
AVG-2144 |
Low |
Yes |
Content spoofing |
In Nextcloud Server versions prior to 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename... |
| CVE-2021-32678 |
AVG-2144 |
Low |
Yes |
Insufficient validation |
In Nextcloud Server versions prior to 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using... |
| CVE-2021-32657 |
AVG-2024 |
Low |
Yes |
Denial of service |
A security issue has been found in Nextcloud Server before version 21.0.2. A malicious user may be able to break the user administration page. This would... |
| CVE-2021-32656 |
AVG-2024 |
Medium |
Yes |
Information disclosure |
A security issue has been found in Nextcloud Server before version 21.0.2. Nextcloud supports sharing of the registered users with other Nextcloud servers.... |
| CVE-2021-32655 |
AVG-2024 |
Low |
Yes |
Information disclosure |
A security issue has been found in Nextcloud Server before version 21.0.2. An attacker is able to convert a Files Drop link to a federated share. This... |
| CVE-2021-32654 |
AVG-2024 |
High |
Yes |
Arbitrary filesystem access |
A security issue has been found in Nextcloud Server before version 21.0.2. An attacker is able to receive write/read privileges on any Federated File Share.... |
| CVE-2021-32653 |
AVG-2024 |
Low |
Yes |
Information disclosure |
Nextcloud Server before version 21.0.2 sends user IDs to the lookup server even if the user has no fields set to be published. |
| CVE-2021-32610 |
AVG-2225 |
Medium |
Yes |
Directory traversal |
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193. |
| CVE-2021-22915 |
AVG-2024 |
Low |
Yes |
Access restriction bypass |
Nextcloud server before version 21.0.2 did not consider IPv6 subnets in the ratelimiting implementation. This could potentially result in an attacker... |
| CVE-2020-36193 |
AVG-1464 |
Medium |
Yes |
Directory traversal |
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to... |