Ctuihu

**Name of the Vulnerable Software and Affected Versions** Nextcloud iOS versions prior to 4.7.0 **Description** The issue affects the Nextcloud iOS application, which is used to interface with the Nextcloud home cloud ecosystem. When an attacker has physical access to an unlocked device, they may enable integration into the iOS Files app, bypassing the Nextcloud pin/password protection and gaining access to a user's files. **Recommendations** For versions prior to 4.7.0, upgrade the Nextcloud iOS app to 4.7.0 to resolve the issue. At the moment, there is no information about other workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4 **Description** The issue is related to the lack of restrictions on file uploads in the Nextcloud server, allowing administrators to upload a logo or favicon with a maliciously named file, potentially overwriting files in the appdata directory. This could be exploited by tricking an administrator into uploading such a file. The vulnerability may allow a remote attacker to compromise the target system by uploading arbitrary files. **Recommendations** For Nextcloud Server versions prior to 24.0.10, upgrade to version 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to version 25.0.4. As a temporary workaround for users unable to upgrade, avoid ingesting logo files from untrusted sources.