Nextcloud Server 27.0.0
Approved changes feed: RSS · Atom
cpe:2.3:a:nextcloud:nextcloud_server:27.0.0:*:*:*:-:*:*:*
part: a version: 27.0.0 update: *
| Vendor | Nextcloud (e5ae4298-6932-564f-a40d-08cebea039a5) |
|---|---|
| Product | Nextcloud Server (1b3f7567-9687-57ec-81e9-325dd62e7470) |
| Edition | * |
| Language | * |
| Software edition | - |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/nextcloud/server |
purl2cpe | 2026-06-01 10:17:59.053969 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-45151 |
vulnerable | 2026-06-03 14:53:07.631432 |
OAuth2 client_secret stored in plain text in the Nextcloud database
MEDIUM (6.5)
Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.
Published: 2023-10-16T18:41:28.713Z
Updated: 2024-09-16T14:57:44.642Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-45148 |
vulnerable | 2026-06-03 14:53:07.627908 |
Rate limiter not working reliable when Memcached is installed in Nextcloud
MEDIUM (4.3)
Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than intended. Users are advised to upgrade to versions 25.0.11, 26.0.6 or 27.1.0. Users unable to upgrade should change their config setting `memcache.distributed` to `\OC\Memcache\Redis` and install Redis instead of Memcached.
Published: 2023-10-16T18:51:56.827Z
Updated: 2024-09-16T14:50:57.166Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39963 |
vulnerable | 2026-06-03 14:52:39.597175 |
Missing password confirmation when creating app passwords
HIGH (8.1)
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
Published: 2023-08-10T17:26:30.163Z
Updated: 2024-10-10T17:53:05.396Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39962 |
vulnerable | 2026-06-03 14:52:39.596540 |
Users can delete external storage mount points
HIGH (7.7)
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 19.0.0 and prior to versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a malicious user could delete any personal or global external storage, making them inaccessible for everyone else as well. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10, 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. As a workaround, disable app files_external. This also makes the external storage inaccessible but retains the configurations until a patched version has been deployed.
Published: 2023-08-10T17:23:50.261Z
Updated: 2024-10-03T19:54:43.544Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39961 |
vulnerable | 2026-06-03 14:52:39.593596 |
Text does not respect "Allow download" permissions
LOW (3.5)
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 24.0.4 and prior to versions 25.0.9, 26.0.4, and 27.0.1, when a folder with images or an image was shared without download permissions, the user could add the image inline into a text file and download it. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
Published: 2023-08-10T17:18:40.903Z
Updated: 2024-10-10T15:51:18.932Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39959 |
vulnerable | 2026-06-03 14:52:39.592675 |
Existence of calendars and address books can be checked by unauthenticated users
LOW (3.5)
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
Published: 2023-08-10T17:07:42.367Z
Updated: 2024-10-08T14:11:04.848Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39958 |
vulnerable | 2026-06-03 14:52:39.592212 |
Missing brute force protection on password reset token OAuth2 API controller
MEDIUM (5.8)
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
Published: 2023-08-10T17:04:51.729Z
Updated: 2024-10-10T15:52:01.095Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-39952 |
vulnerable | 2026-06-03 14:52:39.570253 |
Advanced permissions not respected when copying entire group folders
MEDIUM (6.5)
Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 22.0.0 and prior to versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1, a user can access files inside a subfolder of a groupfolder accessible to them, even if advanced permissions would block access to the subfolder. Nextcloud Server versions 25.0.8, 26.0.3, and 27.0.1 and Nextcloud Enterprise Server versions 22.2.10.13, 23.0.12.8, 24.0.12.4, 25.0.8, 26.0.3, and 27.0.1 contain a patch for this issue. No known workarounds are available.
Published: 2023-08-10T13:50:50.528Z
Updated: 2024-10-08T14:48:25.374Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.