Nextcloud Server — набор клиент-серверных программ для создания и использования хранилища данных.
Релизный цикл, информация об уязвимостях
График релизов
Количество 440
CVE-2022-31118
Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`.
CVE-2022-31118
Nextcloud server is an open source personal cloud solution. In affecte ...
CVE-2022-31014
Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.
CVE-2022-31014
Nextcloud server is an open source personal cloud server. Affected ver ...
CVE-2022-29243
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available.
CVE-2022-29243
Nextcloud Server is the file server software for Nextcloud, a self-hos ...
GHSA-3qm7-9jrc-h4gp
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.
GHSA-v65r-wc6r-r9x8
A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.
GHSA-6m9p-3vwc-4p47
Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured.
GHSA-mjfh-rmmm-2mm7
A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2022-31118 Nextcloud server is an open source personal cloud solution. In affected versions an attacker could brute force to find if federated sharing is being used and potentially try to brute force access tokens for federated shares (`a-zA-Z0-9` ^ 15). It is recommended that the Nextcloud Server is upgraded to 22.2.9, 23.0.6 or 24.0.2. Users unable to upgrade may disable federated sharing via the Admin Sharing settings in `index.php/settings/admin/sharing`. | CVSS3: 6.5 | 0% Низкий | больше 3 лет назад |
| CVE-2022-31118 Nextcloud server is an open source personal cloud solution. In affecte ... | CVSS3: 6.5 | 0% Низкий | больше 3 лет назад |
| CVE-2022-31014 Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue. | CVSS3: 5.4 | 1% Низкий | больше 3 лет назад |
| CVE-2022-31014 Nextcloud server is an open source personal cloud server. Affected ver ... | CVSS3: 5.4 | 1% Низкий | больше 3 лет назад |
| CVE-2022-29243 Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Prior to versions 22.2.7 and 23.0.4, missing input-size validation of new session names allows users to create app passwords with long names. These long names are then loaded into memory on usage, resulting in impacted performance. Versions 22.2.7 and 23.0.4 contain a fix for this issue. There are currently no known workarounds available. | CVSS3: 4.3 | 1% Низкий | больше 3 лет назад |
| CVE-2022-29243 Nextcloud Server is the file server software for Nextcloud, a self-hos ... | CVSS3: 4.3 | 1% Низкий | больше 3 лет назад |
| GHSA-3qm7-9jrc-h4gp Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`. | 0% Низкий | больше 3 лет назад | |
| GHSA-v65r-wc6r-r9x8 A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet. | CVSS3: 6.5 | 0% Низкий | больше 3 лет назад |
| GHSA-6m9p-3vwc-4p47 Nextcloud Server prior to 20.0.0 stores passwords in a recoverable format even when external storage is not configured. | 1% Низкий | больше 3 лет назад | |
| GHSA-mjfh-rmmm-2mm7 A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. | 0% Низкий | больше 3 лет назад |
Уязвимостей на страницу