Dorra Jaouad

**Name of the Vulnerable Software and Affected Versions** Nextcloud versions 33.0.0 through 33.0.x **Description** An issue exists in the Nextcloud Files app for Android where the PIN can be bypassed. After unlocking a locked Android phone, the back-button can be used to circumvent the PIN requirement within the `PassCodeActivity` function. **Recommendations** Update to version 33.1.0.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions 32.0.0 through 32.0.8 Nextcloud Server versions 33.0.0 through 33.0.2 Nextcloud Enterprise Server versions prior to 33.0.3 Nextcloud Enterprise Server versions prior to 32.0.9 Nextcloud Enterprise Server versions prior to 31.0.14.5 Nextcloud Enterprise Server versions prior to 30.0.17.9 Nextcloud Enterprise Server versions prior to 29.0.16.16 Nextcloud Enterprise Server versions prior to 28.0.14.17 Nextcloud Enterprise Server versions prior to 27.1.11.26 Nextcloud Enterprise Server versions prior to 26.0.13.26 Nextcloud Enterprise Server versions prior to 25.0.13.29 Nextcloud Enterprise Server versions prior to 24.0.12.34 Nextcloud Enterprise Server versions prior to 23.0.12.35 Nextcloud Enterprise Server versions prior to 22.2.10.39 Nextcloud Enterprise Server versions prior to 21.0.9.23 **Description** Improper authorization controls in the calendar backend allow an authenticated attacker with knowledge of another user's principal URL to send a request and gain full access to that user's calendar. This access enables the attacker to view and modify the calendar data. **Recommendations** Upgrade to version 32.0.9 Upgrade to version 33.0.3 Upgrade to version 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17, 27.1.11.26, 26.0.13.26, 25.0.13.29, 24.0.12.34, 23.0.12.35, 22.2.10.39, or 21.0.9.23 depending on the current installation branch

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authenticated attacker can access attachments of link shares when knowing the share token, circumventing password protection or download restrictions. It is applicable to any file that is shared directly, as the attacker only needs to know a documentId they own, apart of the mentioned share token. For shared folders the attacker has to know or guess a documentId of a file that is included inside the folder, making it much harder to exploit. The attacker can only extract an attachments, but not the file shared file or folder itself. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9, 29.0.16.16, 28.0.14.17 or 27.1.11.5

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions 32.0.0 through 32.0.1 Nextcloud Server versions 33.0.0 through 33.0.0 Nextcloud Enterprise Server versions prior to 31.0.14.4 Nextcloud Enterprise Server versions 32.0.0 through 32.0.1 Nextcloud Enterprise Server versions 33.0.0 through 33.0.0 **Description** The `files lock` app fails to properly validate file ownership when processing DAV lock and unlock requests. An authenticated user can lock or unlock files belonging to other users by targeting their absolute WebDAV paths. Furthermore, lock tokens are disclosed to unauthorized callers within error responses, which enables attackers to remove token-based locks established by other users' client applications. **Recommendations** Upgrade to version 32.0.2 or 33.0.1. Upgrade to version 31.0.14.4, 32.0.2, or 33.0.1.

**Name of the Vulnerable Software and Affected Versions** Nextcloud versions 1.3.6 through 8.3.x **Description** An improper check in the authentication process allows users provided by LDAP to continue authenticating via user OIDC even after they have been deleted. **Recommendations** Update to version 8.4.0.

**Name of the Vulnerable Software and Affected Versions** Nextcloud versions 32.0.0 through 32.0.8 Nextcloud versions 33.0.0 through 33.0.2 **Description** When a user shares a folder or file with a Nextcloud Team containing an external member (a person added via email without a Nextcloud account), the system automatically generates a public link for that member. This link is sent via email and grants permissions to read, write, delete, reshare, and download data based on the Team's access level. Because the link is not displayed in the folder's share section, the owner is unaware of its existence and cannot revoke it through the standard sharing interface. An attacker who intercepts or receives this link can access and manipulate the shared data without authentication. **Recommendations** Update to version 32.0.9 for versions in the 32.x branch. Update to version 33.0.3 for versions in the 33.x branch.

**Name of the Vulnerable Software and Affected Versions** Nextcloud versions 5.5.13 through 5.5.16 Nextcloud versions 6.2.0 through 6.2.2 **Description** An authenticated user can enumerate other users on the same instance. This is possible because sharing restrictions were not effectively applied to the Calendar app's endpoint used for suggesting attendees. **Recommendations** Update to version 5.5.17. Update to version 6.2.3.

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, an authentication bypass vulnerability allowed attackers with knowledge of a user's password to circumvent two-factor authentication (2FA) protections. When a user initiated login with valid credentials on a 2FA-enabled account, the system created a temporary session token before enforcing the second factor challenge. This token could be extracted and replayed via HTTP Basic Authentication to gain unauthorized access to authenticated endpoints. It is recommended that the Nextcloud Server is upgraded to 33.0.3 or 32.0.9. It is recommended that the Nextcloud Enterprise Server is upgraded to 33.0.3, 32.0.9, 31.0.14.5, 30.0.17.9 or 29.0.16.16

Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to normal SQL injections, the ORDER BY is limited to extracting a single bit of information per request or to make the database wait for a given time. This issue has been patched in versions 0.9.7 and 1.0.2.

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 31.0.0 to before 31.0.12, and 32.0.0 to before 32.0.3, a missing check of a relation allowed authenticated users with access to any file comment, to read the content of all comments. It is recommended that the Nextcloud Server is upgraded to 31.0.12 or 32.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.20, 22.2.10.35, 23.0.12.31, 24.0.12.30, 25.0.13.25, 26.0.13.22, 27.1.11.22, 28.0.14.13, 29.0.16.10, 30.0.17.5, 31.0.12 or 32.0.3