Lukasreschkenc

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.1.0 **Description** Nextcloud server is an open source, self-hosted personal cloud that supports rendering image previews for user-provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. This poses several security concerns, such as Server-Side-Request-Forgery, file disclosure, or potentially executing code on the system. The risk depends on the system configuration and the installed library version. **Recommendations** For versions prior to 20.0.12, upgrade to 20.0.12 or later. For versions prior to 21.0.4, upgrade to 21.0.4 or later. For versions prior to 22.1.0, upgrade to 22.1.0 or later. As a temporary workaround, users may disable previews by setting `enable previews` to `false` in `config.php`.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 19.0.13 Nextcloud Server versions prior to 20.0.11 Nextcloud Server versions prior to 21.0.3 **Description** The issue affects Nextcloud Server, a package that handles data storage. In the affected versions, ratelimits are not applied to OCS API responses, which can be exploited by affecting any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. The risk depends on the installed applications on the Nextcloud Server and could range from bypassing authentication ratelimits to spamming other Nextcloud users. **Recommendations** For versions prior to 19.0.13, update to version 19.0.13 or later. For versions prior to 20.0.11, update to version 20.0.11 or later. For versions prior to 21.0.3, update to version 21.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Text versions prior to 19.0.13 Nextcloud Text versions prior to 20.0.11 Nextcloud Text versions prior to 21.0.3 **Description** A cross-site scripting issue is present in the Nextcloud Text application. The application uses a `text/html` Content-Type when serving files to users. However, due to the strict Content-Security-Policy, this issue is not exploitable on modern browsers that support Content-Security-Policy. **Recommendations** For versions prior to 19.0.13, update to version 19.0.13 or later. For versions prior to 20.0.11, update to version 20.0.11 or later. For versions prior to 21.0.3, update to version 21.0.3 or later. As a temporary workaround, consider using a browser that supports Content-Security-Policy to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 19.0.13 Nextcloud Server versions prior to 20.0.11 Nextcloud Server versions prior to 21.0.3 **Description** The Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user, which could result in a full path disclosure on shared files. **Recommendations** For versions prior to 19.0.13, update to version 19.0.13 or later. For versions prior to 20.0.11, update to version 20.0.11 or later. For versions prior to 21.0.3, update to version 21.0.3 or later. As a temporary workaround, consider disabling the Nextcloud Text application in Nextcloud Server app settings.