Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

security-advisories — Vulnerabilities & Security Advisories 245

All 245 CVE vulnerabilities found in security-advisories, with AI-generated Chinese analysis, references, and POCs.

Vendor: nextcloud

CVE IDTitleCVSSSeverityPublished
CVE-2023-39963 Missing password confirmation when creating app passwords CWE-284 8.1 High2023-08-10
CVE-2023-39962 Users can delete external storage mount points CWE-284 7.7 High2023-08-10
CVE-2023-39961 Text does not respect "Allow download" permissions CWE-284 3.5 Low2023-08-10
CVE-2023-39959 Existence of calendars and address books can be checked by unauthenticated users CWE-284 3.5 Low2023-08-10
CVE-2023-39958 Missing brute force protection on password reset token OAuth2 API controller CWE-307 5.8 Medium2023-08-10
CVE-2023-39957 Path traversal allows tricking the Talk Android app into writing files into it's root directory CWE-22 3.3 -2023-08-10
CVE-2023-39955 Notes attachment render HTML in preview mode CWE-79 3.5 Low2023-08-10
CVE-2023-39954 user_oidc app stores client secret unencrypted in database CWE-311 3.8 Low2023-08-10
CVE-2023-39953 Issuer not verified from obtained token in user_oidc CWE-303 4.8 Medium2023-08-10
CVE-2023-39952 Advanced permissions not respected when copying entire group folders CWE-284 6.5 Medium2023-08-10
CVE-2023-35928 Nextcloud user scoped external storage can be used to gather credentials of other users CWE-274 8.5 High2023-06-23
CVE-2023-35927 Nextcloud system addressbooks can be modified by malicious trusted server CWE-284 7.6 High2023-06-23
CVE-2023-35173 End-to-End encrypted file-drops can be made inaccessible CWE-284 5.7 Medium2023-06-23
CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected CWE-307 8.7 High2023-06-23
CVE-2023-35171 Nextcloud Server vulnerable to open redirect on "Unsupported browser" warning CWE-601 4.1 Medium2023-06-23
CVE-2023-32320 Nextcloud Server's brute force protection allows someone to send more requests than intended CWE-307 8.7 High2023-06-22
CVE-2023-33183 Error in calendar when booking an appointment reveals the full path of the website CWE-285 2.6 Low2023-05-30
CVE-2023-33182 Nextcloud Contacts photos only sanitized if mime type is all lower case CWE-20--2023-05-30
CVE-2023-33184 Blind SSRF in the Nextcloud Mail app on avatar endpoint CWE-918 3.5 Low2023-05-27
CVE-2023-32319 Basic auth header on WebDAV requests is not brute-force protected in Nextcloud CWE-307 8.1 High2023-05-26
CVE-2023-32318 User session not correctly destroyed on logout CWE-613 7.2 High2023-05-26
CVE-2023-32074 Nextcloud user_oidc app is missing brute force protection CWE-307 8.0 High2023-05-25
CVE-2023-28847 Nextcloud Server missing brute force protection for passwords of password protected share links CWE-307 3.1 Low2023-04-25
CVE-2023-30540 Chat poll data can still be queried from API after purging history in Nextcloud talk CWE-200 3.5 Low2023-04-17
CVE-2023-30539 Users can set up workflows using restricted and invisible system tags in Nextcloud CWE-284 6.5 Medium2023-04-17
CVE-2023-29000 Nextcloud Desktop client does not verify received singed certificate in end-to-end encryption CWE-295 5.4 Medium2023-04-04
CVE-2023-28999 Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders CWE-325 6.9 Medium2023-04-04
CVE-2023-28998 Nextcloud Desktop client misbehaves with E2EE when the server returns empty list of metadata keys CWE-325 6.7 Medium2023-04-04
CVE-2023-28997 Nextcloud Desktop: Initialization vector reuse in E2EE allows malicious server admin to break, manipulate, access files CWE-323 6.7 Medium2023-04-04
CVE-2023-28848 CSRF protection on user_oidc login returned the expected token in case of an error CWE-352 4.8 Medium2023-04-04

All 245 known CVE vulnerabilities affecting security-advisories with full Chinese analysis, references, and POCs where available.