Julien Veyssier

4 exploits Active since Jun 2024
CVE-2024-37312 WRITEUP MEDIUM WRITEUP
Nextcloud User Oidc < 5.0.0 - Improper Access Control
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28).
CVSS 6.3
CVE-2024-52512 WRITEUP LOW WRITEUP
Nextcloud User Oidc < 6.1.0 - Open Redirect
user_oidc app is an OpenID Connect user backend for Nextcloud. A malicious user could send a malformed login link that would redirect the user to a provided URL after successfully authenticating. It is recommended that the Nextcloud User OIDC app is upgraded to 6.1.0.
CVSS 3.3
CVE-2024-52519 WRITEUP LOW WRITEUP
Nextcloud Server - Info Disclosure
Nextcloud Server is a self hosted personal cloud system. The OAuth2 client secrets were stored in a recoverable way, so that an attacker that got access to a backup of the database and the Nextcloud config file, would be able to decrypt them. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
CVSS 2.7
CVE-2024-52520 WRITEUP MEDIUM WRITEUP
Nextcloud Server < 27.1.11.8 - Denial of Service
Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
CVSS 5.7