Nextcloud Server — набор клиент-серверных программ для создания и использования хранилища данных.
Релизный цикл, информация об уязвимостях
График релизов
Количество 409
CVE-2022-31118
Nextcloud server is an open source personal cloud solution. In affecte ...
CVE-2022-31014
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.
CVE-2022-31014
Nextcloud server is an open source personal cloud server. Affected ver ...
CVE-2022-29243
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.
CVE-2022-29243
Nextcloud Server is the file server software for Nextcloud, a self-hos ...
GHSA-3qm7-9jrc-h4gp
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
GHSA-v65r-wc6r-r9x8
A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.
GHSA-6m9p-3vwc-4p47
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
GHSA-mjfh-rmmm-2mm7
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
GHSA-m9wc-h684-m6rq
A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
| CVE-2022-31118 Nextcloud server is an open source personal cloud solution. In affecte ... | CVSS3: 6.5 | 0% Низкий | почти 3 года назад |
 | CVE-2022-31014 Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue. | CVSS3: 5.4 | 0% Низкий | почти 3 года назад |
| CVE-2022-31014 Nextcloud server is an open source personal cloud server. Affected ver ... | CVSS3: 5.4 | 0% Низкий | почти 3 года назад |
| CVE-2022-29243 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available. | CVSS3: 4.3 | 0% Низкий | около 3 лет назад |
| CVE-2022-29243 Nextcloud Server is the file server software for Nextcloud, a self-hos ... | CVSS3: 4.3 | 0% Низкий | около 3 лет назад |
| GHSA-3qm7-9jrc-h4gp Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. | 0% Низкий | около 3 лет назад | |
| GHSA-v65r-wc6r-r9x8 A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. | CVSS3: 6.5 | 0% Низкий | около 3 лет назад |
| GHSA-6m9p-3vwc-4p47 Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. | 0% Низкий | около 3 лет назад | |
| GHSA-mjfh-rmmm-2mm7 A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | 0% Низкий | около 3 лет назад | |
| GHSA-m9wc-h684-m6rq A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. | 1% Низкий | около 3 лет назад |
Уязвимостей на страницу