ALT-PU-2024-10161-3
Closed vulnerabilities
Modified: 2025-05-27
BDU:2024-00723
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с неверным сроком действия сеанса, позволяющая нарушителю обойти процесс аутентификации
BDU:2024-04840
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостатками процедуры аутентификации, позволяющая нарушителю обойти процесс аутентификации
BDU:2024-04871
Уязвимость компонента Calendar облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю получить доступ к конфиденциальной информации
BDU:2024-04872
Уязвимость функции files_versions() облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю восстановить старые версии документа
BDU:2024-04873
Уязвимость компонента Delete облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2024-04874
Уязвимость компонента Share облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, позволяющая нарушителю оказать воздействие на целостность данных или вызвать отказ в обслуживании
BDU:2024-10198
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с использованием имени с неправильной ссылкой, позволяющая нарушителю получить доступ к конфиденциальной информации
BDU:2024-10199
Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server, связанная с неправильным контролем доступа, позволяющая нарушителю получить доступ к конфиденциальной информации
Modified: 2024-11-21
CVE-2024-22403
Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36
- https://github.com/nextcloud/server/pull/40766
- https://hackerone.com/reports/1784162
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36
- https://github.com/nextcloud/server/pull/40766
- https://hackerone.com/reports/1784162
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/
Modified: 2025-09-26
CVE-2024-37313
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
- https://github.com/nextcloud/server/pull/44276
- https://hackerone.com/reports/2419776
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
- https://github.com/nextcloud/server/pull/44276
- https://hackerone.com/reports/2419776
Modified: 2024-11-21
CVE-2024-37315
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942
- https://github.com/nextcloud/server/pull/43727
- https://hackerone.com/reports/1356508
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942
- https://github.com/nextcloud/server/pull/43727
- https://hackerone.com/reports/1356508
Modified: 2024-11-21
CVE-2024-37882
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
- https://github.com/nextcloud/server/pull/44339
- https://hackerone.com/reports/2289425
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jjm3-j9xh-5xmq
- https://github.com/nextcloud/server/pull/44339
- https://hackerone.com/reports/2289425
Modified: 2024-11-21
CVE-2024-37884
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
- https://github.com/nextcloud/server/pull/43727
- https://hackerone.com/reports/2290680
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwgx-f37p-xh8c
- https://github.com/nextcloud/server/pull/43727
- https://hackerone.com/reports/2290680
Modified: 2025-10-02
CVE-2024-37887
Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1.
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595
- https://github.com/nextcloud/server/pull/45309
- https://hackerone.com/reports/2479325
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4xv-cjpm-j595
- https://github.com/nextcloud/server/pull/45309
- https://hackerone.com/reports/2479325
Modified: 2025-10-01
CVE-2024-52514
Nextcloud Server is a self hosted personal cloud system. After a user received a share with some files inside being blocked by the files access control, the user would still be able to copy the intermediate folder inside Nextcloud allowing them to afterwards potentially access the blocked files depending on the user access control rules. It is recommended that the Nextcloud Server is upgraded to 27.1.9, 28.0.5 or 29.0.0 and Nextcloud Enterprise Server is upgraded to 21.0.9.18, 22.2.10.23, 23.0.12.18, 24.0.12.14, 25.0.13.9, 26.0.13.3, 27.1.9, 28.0.5 or 29.0.0.
Modified: 2025-10-01
CVE-2024-52515
Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.