Description
Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxqf-cfxw-mqmj
Patch x_refsource_misc
https://github.com/nextcloud/server/pull/47627
Scores
CVSS v3
5.7
EPSS
0.0133
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-400
CWE-79
Status
published
Products (2)
nextcloud/nextcloud_server
27.0.0 - 27.1.11.8
nextcloud/nextcloud_server
28.0.0 - 28.0.10
Published
Nov 15, 2024
Tracked Since
Feb 18, 2026