Nickvergessen

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 29.0.15, 30.0.9, and 31.0.3 Nextcloud Enterprise Server versions prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 Description: The issue concerns a bug in session handling. When the server is configured with `remember login cookie lifetime` set to `0`, the second factor confirmation is skipped after a successful login with the username and password, once the session expires on the page to select the second factor and the page is reloaded. Recommendations: For Nextcloud Server versions prior to 29.0.15, 30.0.9, and 31.0.3, update to version 29.0.15, 30.0.9, or 31.0.3. For Nextcloud Enterprise Server versions prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3, update to version 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, or 31.0.3. As a temporary workaround, set the `remember login cookie lifetime` in config.php to a value other than `0`, e.g. `900`. System administration can delete affected sessions.

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 30.0.2 Nextcloud Server versions prior to 29.0.9 Nextcloud Server versions prior to 28.0.1 Nextcloud Enterprise Server versions prior to 30.0.2 Nextcloud Enterprise Server versions prior to 29.0.9 Nextcloud Groupfolders app versions prior to 18.0.3 Nextcloud Groupfolders app versions prior to 17.0.5 Nextcloud Groupfolders app versions prior to 16.0.11 Description: The issue concerns the absence of quota checking on attachments in Nextcloud Server and Nextcloud Groupfolders app, allowing logged-in users to upload files exceeding the group folder quota. Recommendations: For Nextcloud Server version prior to 30.0.2, update to version 30.0.2 or later. For Nextcloud Server version prior to 29.0.9, update to version 29.0.9 or later. For Nextcloud Server version prior to 28.0.1, update to version 28.0.1 or later. For Nextcloud Enterprise Server version prior to 30.0.2, update to version 30.0.2 or later. For Nextcloud Enterprise Server version prior to 29.0.9, update to version 29.0.9 or later. For Nextcloud Groupfolders app version prior to 18.0.3, update to version 18.0.3 or later. For Nextcloud Groupfolders app version prior to 17.0.5, update to version 17.0.5 or later. For Nextcloud Groupfolders app version prior to 16.0.11, update to version 16.0.11 or later.

Name of the Vulnerable Software and Affected Versions: Nextcloud Desktop versions prior to 3.15 Description: The issue affects Nextcloud Desktop, allowing 3rd party applications to create link shares for almost all data via the socket API. These shares can then be sent to an external service. Recommendations: For versions prior to 3.15, update to version 3.15 to resolve the issue. As a temporary workaround, consider restricting access to the socket API until the update is applied.

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 28.0.13 Nextcloud Server versions prior to 29.0.10 Nextcloud Server versions prior to 30.0.3 Nextcloud Enterprise Server versions prior to 28.0.13 Nextcloud Enterprise Server versions prior to 29.0.10 Nextcloud Enterprise Server versions prior to 30.0.3 Description: Nextcloud Server is a self-hosted personal cloud system. A currently unused endpoint to verify a share recipient was not protected correctly, allowing proxy requests to another server. No known workarounds are available. Recommendations: For Nextcloud Server versions prior to 28.0.13, update to version 28.0.13 or later. For Nextcloud Server versions prior to 29.0.10, update to version 29.0.10 or later. For Nextcloud Server versions prior to 30.0.3, update to version 30.0.3 or later. For Nextcloud Enterprise Server versions prior to 28.0.13, update to version 28.0.13 or later. For Nextcloud Enterprise Server versions prior to 29.0.10, update to version 29.0.10 or later. For Nextcloud Enterprise Server versions prior to 30.0.3, update to version 30.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Desktop Client versions 3.13.1 through 3.13.3 **Description** In the Nextcloud Desktop Client on Linux, synchronized files between the server and client may become world writable or world readable. This issue is fixed in version 3.13.4. **Recommendations** For versions 3.13.1 through 3.13.3, upgrade to version 3.13.4 to resolve the issue. As a temporary workaround, consider restricting access to sensitive files until the update is applied.

Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 22.2.11 Nextcloud Server versions prior to 23.0.11 Nextcloud Server versions prior to 24.0.6 Nextcloud Enterprise Server versions prior to 22.2.11 Nextcloud Enterprise Server versions prior to 23.0.11 Nextcloud Enterprise Server versions prior to 24.0.6 Description: The issue is related to insecure management of privileges in Nextcloud Server and Nextcloud Enterprise Server. This can allow a remote attacker to disclose protected information. When a server is configured to only allow sharing with users that are in one's own groups, after a user was removed from a group, previously shared items were not unshared. Recommendations: For Nextcloud Server versions prior to 22.2.11, upgrade to version 22.2.11 or later. For Nextcloud Server versions prior to 23.0.11, upgrade to version 23.0.11 or later. For Nextcloud Server versions prior to 24.0.6, upgrade to version 24.0.6 or later. For Nextcloud Enterprise Server versions prior to 22.2.11, upgrade to version 22.2.11 or later. For Nextcloud Enterprise Server versions prior to 23.0.11, upgrade to version 23.0.11 or later. For Nextcloud Enterprise Server versions prior to 24.0.6, upgrade to version 24.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud files Zip app versions prior to 1.2.1 Nextcloud files Zip app versions prior to 1.4.1 Nextcloud files Zip app versions prior to 1.5.0 **Description** The Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions, users can download "view-only" files by zipping the complete folder. **Recommendations** For versions prior to 1.2.1, upgrade to 1.2.1 or later. For versions prior to 1.4.1, upgrade to 1.4.1 or later. For versions prior to 1.5.0, upgrade to 1.5.0 or later. As a temporary workaround, consider disabling the file zip app until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nextcloud versions prior to 25.0.11 Nextcloud versions prior to 26.0.6 Nextcloud versions prior to 27.1.0 **Description** The issue is related to the use of Memcached as `memcache.distributed` in Nextcloud, which can cause the rate limiting on the server to be reset unexpectedly, leading to the rate count being reset earlier than intended. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For versions prior to 25.0.11, upgrade to version 25.0.11 or later. For versions prior to 26.0.6, upgrade to version 26.0.6 or later. For versions prior to 27.1.0, upgrade to version 27.1.0 or later. As a temporary workaround for users unable to upgrade, change the config setting `memcache.distributed` to `OCMemcacheRedis` and install Redis instead of Memcached.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Talk versions prior to 15.0.8 Nextcloud Talk versions prior to 16.0.6 Nextcloud Talk versions prior to 17.1.1 **Description** The issue concerns the brute force protection of public talk conversation passwords in Nextcloud Talk, a chat module for the Nextcloud server platform. In affected versions, this protection can be bypassed due to an endpoint validating the conversation password without registering brute force attempts. **Recommendations** For versions prior to 15.0.8, upgrade to version 15.0.8. For versions prior to 16.0.6, upgrade to version 16.0.6. For versions prior to 17.1.1, upgrade to version 17.1.1.

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.0.* through 8.0.29 PHP versions 8.1.* through 8.1.21 PHP versions 8.2.* through 8.2.7 **Description** The issue is related to the way PHP's XML functions rely on libxml global state to track configuration variables. This state can be changed by other modules, such as ImageMagick, within the same process, potentially leading to the disclosure of local files accessible to PHP. The vulnerable state may persist across many requests until the process is shut down. **Recommendations** For PHP versions 8.0.* through 8.0.29, update to version 8.0.30 or later. For PHP versions 8.1.* through 8.1.21, update to version 8.1.22 or later. For PHP versions 8.2.* through 8.2.7, update to version 8.2.8 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 25.0.6 Nextcloud Server versions prior to 26.0.1 **Description** A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account, the previous session would be continued and the attacker would be authenticated as the previously logged in user. This issue is related to incorrect session expiration. **Recommendations** For Nextcloud Server versions prior to 25.0.6, upgrade to 25.0.6 to resolve the issue. For Nextcloud Server versions prior to 26.0.1, upgrade to 26.0.1 to resolve the issue. As a temporary workaround, consider clearing cookies manually after logout to prevent session continuation.

**Name of the Vulnerable Software and Affected Versions** user oidc app versions prior to 1.3.2 **Description** The user oidc app, an OpenID Connect user backend for Nextcloud, has an issue where authentication can be broken or bypassed. **Recommendations** For versions prior to 1.3.2, upgrade the Nextcloud user oidc app to version 1.3.2.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Android versions 3.7.0 through 3.24.0 **Description** The Nextcloud Android app has a security issue that allows an attacker with access to an unlocked physical device to bypass the Pin/passcode protection using a third-party app. This enables the attacker to view meta information such as sharer, sharees, and activity of files. **Recommendations** For versions 3.7.0 through 3.24.0, upgrade the Nextcloud Android app to version 3.24.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4 **Description** The issue is related to a missing scope validation in the Nextcloud server, allowing users to create workflows designed for administrators only. Some workflows can lead to remote code execution (RCE) by invoking scripts, generating PDFs, or running scripts on the server. The combination of available apps can result in RCE. **Recommendations** For Nextcloud Server versions prior to 24.0.10, upgrade to 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to 25.0.4. For users unable to upgrade, disable the `workflow scripts` and `workflow pdf converter` apps as a mitigation.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4 **Description** The issue is related to the generated fallback password when creating a share in Nextcloud Server, which uses a weak complexity random number generator. This makes the password guessable to an attacker willing to brute force it, especially when the sharer does not change the password. The vulnerability can be exploited by a remote attacker to gain unauthorized access to protected information. It only affects users who do not have a password policy enabled. **Recommendations** For Nextcloud Server versions prior to 24.0.10, upgrade to 24.0.10. For Nextcloud Server versions prior to 25.0.4, upgrade to 25.0.4. As a temporary workaround for users unable to upgrade, enable a password policy to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4 **Description** The issue is related to the lack of authentication attempt limits in Nextcloud Server, allowing a malicious user to try to reset another user's password and then brute force the password reset token. Although brute forcing the 62^21 combinations for the password reset token would require significant compute resources, it is still a potential risk. There are no known real-world incidents or estimated numbers of affected devices mentioned. **Recommendations** For versions prior to 24.0.10, upgrade to 24.0.10. For versions prior to 25.0.4, upgrade to 25.0.4. As a temporary workaround, consider implementing throttling for password reset attempts, similar to the fix introduced in commit `704eb3aa`, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Desktop Client versions prior to 3.6.3 **Description** The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. It is missing sanitisation on qml labels used for basic HTML elements such as `strong`, `em`, and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. **Recommendations** For versions prior to 3.6.3, upgrade to version 3.6.3 to resolve the issue. As a temporary workaround, consider restricting the use of qml labels in the desktop client until a patch is available. However, since there are no known workarounds for this issue, upgrading to the recommended version is the best course of action.

**Name of the Vulnerable Software and Affected Versions** Nextcloud server versions 25.0.0 through 25.0.2 **Description** The issue is related to an inefficient fetch operation that may impact server performance and/or lead to a denial of service. This can be exploited by a remote attacker to initiate a denial of service attack. The vulnerability is associated with uncontrolled resource consumption. **Recommendations** For Nextcloud server versions 25.0.0 through 25.0.2, upgrade to version 25.0.3 to address the issue. There are no known workarounds for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nextcloud server versions prior to 25.0.2 Nextcloud server versions prior to 24.0.8 Nextcloud server versions prior to 23.0.12 **Description** The issue concerns the `OCFilesNodeFolder::getFullPath()` function, which was validating and normalizing strings in the wrong order. This function is used in the `newFile()` and `newFolder()` items, potentially allowing the creation of paths outside of one's own space and overwriting data from other users with crafted paths. **Recommendations** For versions prior to 25.0.2, upgrade to version 25.0.2 or later. For versions prior to 24.0.8, upgrade to version 24.0.8 or later. For versions prior to 23.0.12, upgrade to version 23.0.12 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Deck versions prior to 1.6.5 Nextcloud Deck versions prior to 1.7.3 Nextcloud Deck versions prior to 1.8.2 **Description** Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. A database error can be generated, potentially causing a denial of service when performed multiple times. **Recommendations** For versions prior to 1.6.5, upgrade to version 1.6.5 or later. For versions prior to 1.7.3, upgrade to version 1.7.3 or later. For versions prior to 1.8.2, upgrade to version 1.8.2 or later.