Lukas Reschke

**Name of the Vulnerable Software and Affected Versions** Nextcloud Talk versions prior to 10.0.7 Nextcloud Talk versions prior to 10.1.4 Nextcloud Talk versions prior to 11.1.2 Nextcloud Talk versions prior to 11.2.0 Nextcloud Talk versions prior to 12.0.0 **Description** The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) issue. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due to the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. **Recommendations** For versions prior to 10.0.7, upgrade to version 10.0.7 or later. For versions prior to 10.1.4, upgrade to version 10.1.4 or later. For versions prior to 11.1.2, upgrade to version 11.1.2 or later. For versions prior to 11.2.0, upgrade to version 11.2.0 or later. For versions prior to 12.0.0, upgrade to version 12.0.0 or later. As a temporary workaround, consider using a browser that has support for Content-Security-Policy.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Contacts versions prior to 4.0.3 **Description** The Nextcloud Contacts application is vulnerable to a stored Cross-Site Scripting (XSS) issue. To exploit this, a user must right-click on a malicious file and open it in a new tab. However, due to the strict Content-Security-Policy in Nextcloud, this issue is not exploitable on modern browsers that support Content-Security-Policy. **Recommendations** For versions prior to 4.0.3, upgrade the Nextcloud Contacts application to version 4.0.3. As a temporary workaround, consider using a browser that supports Content-Security-Policy to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Deck versions prior to 1.2.9 Nextcloud Deck versions prior to 1.4.5 Nextcloud Deck versions prior to 1.5.3 **Description** A missing permission check in Nextcloud Deck allows another authenticated user to access Deck cards of another user. **Recommendations** For Nextcloud Deck versions prior to 1.2.9, upgrade to version 1.2.9. For Nextcloud Deck versions prior to 1.4.5, upgrade to version 1.4.5. For Nextcloud Deck versions prior to 1.5.3, upgrade to version 1.5.3.

**Name of the Vulnerable Software and Affected Versions** Nextcloud OfficeOnline versions prior to 1.1.1 **Description** The Nextcloud OfficeOnline application returned verbatim exception messages to the user, which could result in a full path disclosure on shared files. For example, an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`. **Recommendations** For versions prior to 1.1.1, upgrade the OfficeOnline application to 1.1.1. As a temporary workaround, consider disabling the OfficeOnline application in the app settings until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Richdocuments versions prior to 3.8.6 and 4.2.3 **Description** The Nextcloud Richdocuments application returned verbatim exception messages to the user, which could result in a full path disclosure on shared files. For example, an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`. **Recommendations** For versions prior to 3.8.6, upgrade to version 3.8.6. For versions prior to 4.2.3, upgrade to version 4.2.3. As a temporary workaround, consider disabling the Richdocuments application in the app settings.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Circles versions prior to 0.19.14 Nextcloud Circles versions prior to 0.20.10 Nextcloud Circles versions prior to 0.21.3 **Description** The Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) issue. Due to the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. A notable exemption is Internet Explorer, which does not support Content-Security-Policy properly. **Recommendations** For versions prior to 0.19.14, upgrade to 0.19.14 to resolve this issue. For versions prior to 0.20.10, upgrade to 0.20.10 to resolve this issue. For versions prior to 0.21.3, upgrade to 0.21.3 to resolve this issue. As a temporary workaround, users may use a browser that has support for Content-Security-Policy.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Richdocuments versions prior to 3.8.4 Nextcloud Richdocuments versions prior to 4.2.1 **Description** The File Drop feature in Nextcloud Richdocuments can be bypassed, allowing an attacker to read arbitrary files in a shared folder. This issue affects the "Upload Only" public link shares in Nextcloud when using the Nextcloud Richdocuments app. **Recommendations** For versions prior to 3.8.4, upgrade to version 3.8.4. For versions prior to 4.2.1, upgrade to version 4.2.1. If upgrading is not possible, disable the Richdocuments application as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.1.0 **Description** The Nextcloud server, an open-source, self-hosted personal cloud, has a issue where logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. **Recommendations** For Nextcloud Server versions prior to 20.0.12, upgrade to 20.0.12 to resolve the issue. For Nextcloud Server versions prior to 21.0.4, upgrade to 21.0.4 to resolve the issue. For Nextcloud Server versions prior to 22.1.0, upgrade to 22.1.0 to resolve the issue. If upgrading is not an option, disable system logging to resolve this issue until an upgrade can be performed.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.1.0 **Description** The issue affects Nextcloud server, an open-source, self-hosted personal cloud. An attacker can bypass Two Factor Authentication in Nextcloud, allowing access to an account with knowledge of a password or access to a WebAuthN trusted device of a user. **Recommendations** For versions prior to 20.0.12, upgrade to 20.0.12. For versions prior to 21.0.4, upgrade to 21.0.4. For versions prior to 22.1.0, upgrade to 22.1.0. As a temporary workaround, consider disabling Two Factor Authentication until a patch is available. However, since there are no workarounds for this vulnerability, upgrading to the recommended version is the only solution.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.0.1 **Description** The Nextcloud Text application, which ships with the Nextcloud Server, returns different error messages depending on whether a folder exists in a public link share. This is problematic when the public link share has been created with "Upload Only" privileges, also known as "File Drop". A link share recipient should not be able to see which folders or files exist in a "File Drop" share. An attacker can exploit this issue to enumerate folders in such a share, but they must have access to a valid affected "File Drop" link share. **Recommendations** For Nextcloud Server versions prior to 20.0.12, upgrade to version 20.0.12. For Nextcloud Server versions prior to 21.0.4, upgrade to version 21.0.4. For Nextcloud Server versions prior to 22.0.1, upgrade to version 22.0.1. If an upgrade is not possible, disable the Nextcloud Text application in the app settings as a temporary workaround.

**Name of the Vulnerable Software and Affected Versions** Collabora Online versions prior to 6.4.9-5 **Description** A reflected XSS issue was found in Collabora Online, allowing an attacker to inject unescaped HTML into a variable as they created the Collabora Online iframe. This could execute scripts inside the context of the Collabora Online iframe, giving access to a small set of user settings stored in the browser and the session's authentication token. **Recommendations** For versions prior to 6.4.9-5, update to Collabora Online 6.4.9-5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Collabora Online versions prior to 4.2.17-1 Collabora Online version 6.4.9-5 **Description** Collabora Online is a collaborative online office suite. Unauthenticated attackers can gain access to files currently opened by other users in the Collabora Online editor. The attacker must guess the file identifier, which is dependent on external file-storage implementations. This is a potential Insecure Direct Object Reference vulnerability. **Recommendations** For versions prior to 4.2.17-1, update to version 4.2.17-1 or later. For version 6.4.9-5, update to a patched release. At the moment, there is no information about other newer versions that contain a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 19.0.13 Nextcloud Server versions prior to 20.0.11 Nextcloud Server versions prior to 21.0.3 **Description** The issue is related to a lack of ratelimiting on the "shareinfo" endpoint, which may have allowed an attacker to enumerate potentially valid share tokens. **Recommendations** For versions prior to 19.0.13, update to version 19.0.13 or later. For versions prior to 20.0.11, update to version 20.0.11 or later. For versions prior to 21.0.3, update to version 21.0.3 or later.

Name of the Vulnerable Software and Affected Versions: @nextcloud/dialogs versions prior to 3.1.2 Description: The issue arises from insufficient escaping of text input passed to a toast in the Nextcloud dialogs library. This could lead to a XSS vulnerability if the application displays toasts with user-supplied input. Nextcloud Server has a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities. Recommendations: For versions prior to 3.1.2, update to version 3.1.2 to patch the vulnerability. If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag. As a temporary workaround, ensure no user-supplied input flows into toasts.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 11.0.3 **Description** The issue is related to a logical error that leads to the disclosure of valid share tokens for public calendars. This could potentially allow an attacker to access publicly shared calendars without knowing the share token. **Recommendations** For versions prior to 11.0.3, update to version 11.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to publicly shared calendars until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Apache Jackrabbit versions 2.4.x through 2.4.5 Apache Jackrabbit versions 2.6.x through 2.6.5 Apache Jackrabbit versions 2.8.x through 2.8.2 Apache Jackrabbit versions 2.10.x through 2.10.3 Apache Jackrabbit versions 2.12.x through 2.12.3 Apache Jackrabbit versions 2.13.x through 2.13.2 **Description** A cross-site request forgery (CSRF) issue exists in the CSRF content-type check in Jackrabbit-Webdav. This allows remote attackers to hijack the authentication of victims for requests that create a resource via an HTTP POST request with a missing or crafted Content-Type header. **Recommendations** For Apache Jackrabbit versions 2.4.x through 2.4.5, update to version 2.4.6 or later. For Apache Jackrabbit versions 2.6.x through 2.6.5, update to version 2.6.6 or later. For Apache Jackrabbit versions 2.8.x through 2.8.2, update to version 2.8.3 or later. For Apache Jackrabbit versions 2.10.x through 2.10.3, update to version 2.10.4 or later. For Apache Jackrabbit versions 2.12.x through 2.12.3, update to version 2.12.4 or later. For Apache Jackrabbit versions 2.13.x through 2.13.2, update to version 2.13.3 or later.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 5.4.38 PHP versions 5.5.x prior to 5.5.22 PHP versions 5.6.x prior to 5.6.6 **Description** The issue is related to the sapi header op function in PHP, which supports deprecated line folding without considering browser compatibility. This allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging mishandling of certain characters in the header function, such as %0A%20 or %0D%0A%20. The vulnerability is associated with the failure to protect the structure of web pages. **Recommendations** For PHP versions prior to 5.4.38, update to version 5.4.38 or later. For PHP versions 5.5.x prior to 5.5.22, update to version 5.5.22 or later. For PHP versions 5.6.x prior to 5.6.6, update to version 5.6.6 or later.

**Name of the Vulnerable Software and Affected Versions** ownCloud Server versions prior to 5.0.19 ownCloud Server versions 6.x prior to 6.0.7 ownCloud Server versions 7.x prior to 7.0.5 **Description** The issue allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding. This can be demonstrated by uploading a .htaccess file. **Recommendations** For ownCloud Server versions prior to 5.0.19, update to version 5.0.19 or later. For ownCloud Server versions 6.x prior to 6.0.7, update to version 6.0.7 or later. For ownCloud Server versions 7.x prior to 7.0.5, update to version 7.0.5 or later.

**Name of the Vulnerable Software and Affected Versions** WebODF versions prior to 0.5.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various means, including style, font name, javascript, or data URI. This can be exploited to execute malicious scripts on the client-side. **Recommendations** For versions prior to 0.5.5, update to version 0.5.5 or later to resolve the issue. As a temporary workaround, consider restricting the input of style, font name, javascript, or data URI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zend Framework 1 versions 1.12.3 and earlier Zend Framework 2 versions 2.1.5 and earlier, 2.2.x versions 2.2.5 and earlier ZendOpenId version 2.0.1 and earlier ZendRest version 2.0.1 and earlier ZendService AudioScrobbler version 2.0.1 and earlier ZendService Nirvanix version 2.0.1 and earlier ZendService SlideShare version 2.0.1 and earlier ZendService Technorati version 2.0.1 and earlier ZendService WindowsAzure version 2.0.1 and earlier ZendService Amazon version 2.0.2 and earlier ZendService Api version 0.9.9 and earlier **Description** The issue allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, and possibly cause a denial of service via an XML External Entity (XXE) attack. This occurs due to an incomplete fix for a previous issue. **Recommendations** For Zend Framework 1 versions 1.12.3 and earlier, update to version 1.12.4 or later. For Zend Framework 2 versions 2.1.5 and earlier, update to version 2.1.6 or later. For Zend Framework 2 versions 2.2.x 2.2.5 and earlier, update to version 2.2.6 or later. For ZendOpenId version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendRest version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService AudioScrobbler version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Nirvanix version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService SlideShare version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Technorati version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService WindowsAzure version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Amazon version 2.0.2 and earlier, update to version 2.0.3 or later. For ZendService Api version 0.9.9 and earlier, update to version 1.0.0 or later.