Themarkib

**Name of the Vulnerable Software and Affected Versions** Nextcloud Server versions 25.0.0 through 25.0.8 Nextcloud Server versions 26.0.0 through 26.0.3 Nextcloud Server versions 27.0.0 through 27.0.0 **Description** The issue is related to improper access control in Nextcloud Server, which provides data storage for the Nextcloud open source cloud platform. An unauthenticated user could send a DAV request to reveal whether a calendar or an address book with a given identifier exists for the victim. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** For Nextcloud Server versions 25.0.0 through 25.0.8, update to version 25.0.9 or later. For Nextcloud Server versions 26.0.0 through 26.0.3, update to version 26.0.4 or later. For Nextcloud Server versions 27.0.0 through 27.0.0, update to version 27.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Nextcloud Calendar app versions prior to 3.5.5 Nextcloud Calendar app versions prior to 4.2.3 **Description** The issue concerns the disclosure of internal website paths when the SMTP server is unavailable. This affects the functionality of the Calendar app in syncing events across devices. **Recommendations** For versions prior to 3.5.5, update to version 3.5.5. For versions prior to 4.2.3, update to version 4.2.3.

**Name of the Vulnerable Software and Affected Versions** WPQA Builder WordPress plugin versions prior to 5.9 **Description** The issue concerns a lack of CSRF check in the WPQA Builder WordPress plugin, specifically when following and unfollowing users. This could allow attackers to make logged-in users perform such actions via CSRF attacks. **Recommendations** For versions prior to 5.9, update to version 5.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the follow and unfollow user functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WPQA Builder WordPress plugin versions prior to 5.7 **Description** The issue allows any logged-in user to read other users' private messages using the message id, which can easily be brute forced, due to a lack of authorization checks before displaying private messages. **Recommendations** For versions prior to 5.7, update to version 5.7 or later to resolve the issue. As a temporary workaround, consider restricting access to private messages or implementing additional authorization checks to minimize the risk of exploitation.