All errata/sisyphus/ALT-PU-2025-16890-3
ALT-PU-2025-16890-3

Package update nextcloud in branch sisyphus

Version32.0.1-alt1
Task#400566
Published2026-03-27
Max severityMEDIUM
Severity:

Closed issues (3)

BDU:2026-03384
MEDIUM4.9

Уязвимость облачного программного обеспечения для создания и использования хранилища данных Nextcloud Server и Nextcloud Enterprise Server, связанная с недостатками разграничения доступа к личной информации, позволяющая нарушителю получить несанкционированный доступ к учетным записям пользователям

Published: 2026-03-19
CVSS 3.xMEDIUM 4.9
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:N/A:N
References
CVE-2025-59788
MEDIUM5.4

Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.

Published: 2025-12-04Modified: 2026-03-25
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
References
CVE-2025-66510
MEDIUM4.9

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Published: 2025-12-05Modified: 2025-12-10
CVSS 3.xMEDIUM 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
References