Nextcloud Server — набор клиент-серверных программ для создания и использования хранилища данных.
Релизный цикл, информация об уязвимостях
График релизов
Количество 440
GHSA-h6j9-6xjq-44c4
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.
CVE-2025-64011
Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Ref ...
CVE-2025-66552
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.
CVE-2025-66552
Nextcloud Server is a self hosted personal cloud system. In Nextcloud ...
CVE-2025-66547
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.
CVE-2025-66547
Nextcloud Server is a self hosted personal cloud system. In Nextcloud ...
CVE-2025-66512
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page.
CVE-2025-66512
Nextcloud Server is a self hosted personal cloud system. In Nextcloud ...
CVE-2025-66510
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| GHSA-h6j9-6xjq-44c4 Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. | CVSS3: 4.3 | 0% Низкий | около 2 месяцев назад |
 | CVE-2025-64011 Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions. | CVSS3: 4.3 | 0% Низкий | около 2 месяцев назад |
| CVE-2025-64011 Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Ref ... | CVSS3: 4.3 | 0% Низкий | около 2 месяцев назад |
| CVE-2025-66552 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1. | CVSS3: 4.3 | 0% Низкий | 2 месяца назад |
| CVE-2025-66552 Nextcloud Server is a self hosted personal cloud system. In Nextcloud ... | CVSS3: 4.3 | 0% Низкий | 2 месяца назад |
| CVE-2025-66547 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1. | CVSS3: 4.3 | 0% Низкий | 2 месяца назад |
| CVE-2025-66547 Nextcloud Server is a self hosted personal cloud system. In Nextcloud ... | CVSS3: 4.3 | 0% Низкий | 2 месяца назад |
| CVE-2025-66512 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Server Enterprise prior to 31.0.12 and 32.0.3, a missing sanitization allowed malicious users to circumvent the content security policy when a malicious user manages to trick a user it viewing an uploaded SVG outside of the Nextcloud Servers web page. | CVSS3: 5.4 | 0% Низкий | 2 месяца назад |
| CVE-2025-66512 Nextcloud Server is a self hosted personal cloud system. In Nextcloud ... | CVSS3: 5.4 | 0% Низкий | 2 месяца назад |
| CVE-2025-66510 Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts. | CVSS3: 4.5 | 0% Низкий | 2 месяца назад |
Уязвимостей на страницу