Hackitbharat

**Name of the Vulnerable Software and Affected Versions** Nextcloud Deck versions prior to 1.9.5 Nextcloud Deck versions prior to 1.11.2 **Description** The issue allows users to be tricked into executing malicious code in their browser via HTML sent as a comment. This is a problem with the way the application handles comments, allowing for the execution of malicious HTML code. **Recommendations** For versions prior to 1.9.5, upgrade to version 1.9.5 or later. For versions prior to 1.11.2, upgrade to version 1.11.2 or later. As a temporary workaround, consider restricting the use of HTML in comments until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Talk versions prior to 15.0.5 **Description** The issue allows a user added later to a conversation to access data that was deleted before they were added. This is a problem in Nextcloud Talk, a chat, video, and audio call extension for Nextcloud. **Recommendations** For versions prior to 15.0.5, upgrade to version 15.0.5 to resolve the issue. As a temporary workaround, consider restricting access to conversations that contain sensitive or deleted data until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions 24.0.0 through 24.0.10 Nextcloud Server versions 25.0.0 through 25.0.4 Nextcloud Server Enterprise versions 23.0.0 through 23.0.12.5 Nextcloud Server Enterprise versions 24.0.0 through 24.0.10 Nextcloud Server Enterprise versions 25.0.0 through 25.0.4 **Description** The issue allows an attacker to brute force passwords of share links without restriction. This is possible because the attacker is not restricted in verifying passwords of share links. **Recommendations** For Nextcloud Server versions 24.0.0 through 24.0.10, update to version 24.0.11 or later. For Nextcloud Server versions 25.0.0 through 25.0.4, update to version 25.0.5 or later. For Nextcloud Server Enterprise versions 23.0.0 through 23.0.12.5, update to version 23.0.12.6 or later. For Nextcloud Server Enterprise versions 24.0.0 through 24.0.10, update to version 24.0.11 or later. For Nextcloud Server Enterprise versions 25.0.0 through 25.0.4, update to version 25.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud server versions 24.0.0 through 24.0.10 Nextcloud server versions 25.0.0 through 25.0.4 Nextcloud server versions prior to 26.0.0 **Description** The issue is related to missing brute-force protection on the WebDAV endpoints via the basic auth header, allowing brute-forcing of user credentials when the provided user name was not an email address. **Recommendations** For Nextcloud server versions 24.0.0 through 24.0.10, upgrade to version 24.0.11 or later. For Nextcloud server versions 25.0.0 through 25.0.4, upgrade to version 25.0.5 or later. For Nextcloud server versions prior to 26.0.0, upgrade to version 26.0.0 or later.