nextcloud

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description A cloud server to store your files centrally on a hardware controlled by you
Version 28.0.3-1 [extra]

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2225 22.1.1-1 22.2.0-1 Medium Fixed
AVG-2144 21.0.2-1 21.0.3-1 High Fixed
AVG-2024 21.0.1-3 21.0.2-1 High Fixed
AVG-1464 20.0.5-2 20.0.6-1 Medium Fixed
Issue Group Severity Remote Type Description
CVE-2021-32741 AVG-2144 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to...
CVE-2021-32734 AVG-2144 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user....
CVE-2021-32733 AVG-2144 Low Yes Cross-site scripting
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server...
CVE-2021-32726 AVG-2144 High Yes Authentication bypass
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username,...
CVE-2021-32725 AVG-2144 Low Yes Access restriction bypass
In Nextcloud Server versions prior to 21.0.3, default share permissions were not being respected for federated reshares of files and folders.
CVE-2021-32705 AVG-2144 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate...
CVE-2021-32703 AVG-2144 Low Yes Information disclosure
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate...
CVE-2021-32688 AVG-2144 High Yes Privilege escalation
Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g....
CVE-2021-32680 AVG-2144 Low Yes Incorrect calculation
In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share...
CVE-2021-32679 AVG-2144 Low Yes Content spoofing
In Nextcloud Server versions prior to 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename...
CVE-2021-32678 AVG-2144 Low Yes Insufficient validation
In Nextcloud Server versions prior to 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using...
CVE-2021-32657 AVG-2024 Low Yes Denial of service
A security issue has been found in Nextcloud Server before version 21.0.2. A malicious user may be able to break the user administration page. This would...
CVE-2021-32656 AVG-2024 Medium Yes Information disclosure
A security issue has been found in Nextcloud Server before version 21.0.2. Nextcloud supports sharing of the registered users with other Nextcloud servers....
CVE-2021-32655 AVG-2024 Low Yes Information disclosure
A security issue has been found in Nextcloud Server before version 21.0.2. An attacker is able to convert a Files Drop link to a federated share. This...
CVE-2021-32654 AVG-2024 High Yes Arbitrary filesystem access
A security issue has been found in Nextcloud Server before version 21.0.2. An attacker is able to receive write/read privileges on any Federated File Share....
CVE-2021-32653 AVG-2024 Low Yes Information disclosure
Nextcloud Server before version 21.0.2 sends user IDs to the lookup server even if the user has no fields set to be published.
CVE-2021-32610 AVG-2225 Medium Yes Directory traversal
In Archive_Tar before 1.4.14, symlinks can refer to targets outside of the extracted archive, a different vulnerability than CVE-2020-36193.
CVE-2021-22915 AVG-2024 Low Yes Access restriction bypass
Nextcloud server before version 21.0.2 did not consider IPv6 subnets in the ratelimiting implementation. This could potentially result in an attacker...
CVE-2020-36193 AVG-1464 Medium Yes Directory traversal
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to...

Advisories

Date Advisory Group Severity Type
14 Jul 2021 ASA-202107-22 AVG-2144 High multiple issues
06 Feb 2021 ASA-202102-7 AVG-1464 Medium directory traversal