Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN319

_____________________________________________________________________

DATE                : 16/05/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Desktop (Nextcloud) versions
                                     prior to 3.15,
       Server (Nextcloud) versions prior to 29.0.15, 30.0.9, 31.0.3,
       Server (Nextcloud Enterprise) versions prior to 26.0.13.15,
               27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, 31.0.3,
Enterprise Server (Nextcloud) versions prior to 28.0.14.4, 29.0.13,
                                30.0.7, 31.0.1,
Groupfolders (Nextcloud) versions prior to 18.0.3, 17.0.5, 16.0.11.

=====================================================================
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qm2f-959g-7p65
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9h3w-f3h4-qqrh
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgg-hhfq-vhww
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c7vq-m7f8-rx37
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q568-2933-gcjq
_____________________________________________________________________

3rdparty applications can create share links via socket API
Moderate
nickvergessen published GHSA-qm2f-959g-7p65 May 16, 2025

Package
Desktop (Nextcloud)

Affected versions
<3.15

Patched versions
3.15


Description

Impact

3rdparty applications already installed on a user machine can create
link shares for almost all data via the socket API. These shares can
then be easily sent off to an external service.


Patches

It is recommended that the Nextcloud Desktop client is upgraded to
3.15


Workarounds

    No workaround available


References

    HackerOne
    PullRequest


For more information

If you have any questions or comments about this advisory:

    Create a post in nextcloud/security-advisories
    Customers: Open a support ticket at portal.nextcloud.com


Severity
Moderate
5.0/ 10
CVSS v3 base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

CVE ID
CVE-2025-47792

Weaknesses
CWE-284

_____________________________________________________________________


Second factor not requested after session timeout
Moderate
nickvergessen published GHSA-9h3w-f3h4-qqrh May 16, 2025

Package
Server (Nextcloud)

Affected versions
>= 29.0.0, >= 30.0.0, >= 31.0.0

Patched versions
29.0.15, 30.0.9, 31.0.3

Server (Nextcloud Enterprise)
Affected versions
>= 26.0.0, >= 27.0.0, >= 28.0.0, >= 29.0.0, >= 30.0.0, >= 31.0.0

Patched versions
26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, 31.0.3


Description
Impact

A bug with the session handling caused skipping the second factor
confirmation after a successful login with the username and password
when the server was configured with remember_login_cookie_lifetime
set to 0, once the session expired on the page to select the second
factor and the page is reloaded.


Patches

It is recommended that the Nextcloud Server is upgraded to 29.0.15,
30.0.9 or 31.0.3
It is recommended that the Nextcloud Enterprise Server is upgraded
to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 or 31.0.3


Workarounds

    Set the remember_login_cookie_lifetime in config.php to a value
other than 0, e.g. 900. Beware that this is only a workaround for
new sessions created after the configuration change. System
administration can delete affected sessions listed by the following
database query:

    SELECT id, uid FROM oc_authtoken WHERE type = 0 AND remember = 0;


References

    HackerOne
    PullRequest

For more information

If you have any questions or comments about this advisory:

    Create a post in nextcloud/security-advisories
    Customers: Open a support ticket at portal.nextcloud.com

Severity
Moderate
6.4/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

CVE ID
CVE-2025-47790

Weaknesses
CWE-287

_____________________________________________________________________


Bypass group folder quota limit using attachment in text file
Moderate
nickvergessen published GHSA-qqgg-hhfq-vhww May 16, 2025

Package
Enterprise Server (Nextcloud)

Affected versions
>= 30.0.0, >= 29.0.0, >= 28.0.0

Patched versions
30.0.2, 29.0.9, 28.0.12

Groupfolders (Nextcloud)
Affected versions
>= 18.0.0, >= 17.0.0, >= 16.0.0
Patched versions
18.0.3, 17.0.5, 16.0.11

Server (Nextcloud)
Affected versions
>= 30.0.0, >= 29.0.0
Patched versions
30.0.2, 29.0.9


Description

Impact

The absence of quota checking on attachments allowed logged-in
users to upload files exceeding the group folder quota.


Patches

It is recommended that the Nextcloud Server is upgraded to 30.0.2
or 29.0.9
It is recommended that the Nextcloud Enterprise Server is
upgraded to 30.0.2, 29.0.9 or 28.0.12
It is recommended that the Nextcloud Groupfolders app is
upgraded to 18.0.3, 17.0.5 or 16.0.11


Workarounds

    No workaround available


References

    HackerOne
    PullRequest
    PullRequest

For more information

If you have any questions or comments about this advisory:

    Create a post in nextcloud/security-advisories
    Customers: Open a support ticket at portal.nextcloud.com

Severity
Moderate
4.3/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE ID
CVE-2025-47793

Weaknesses
CWE-770

_____________________________________________________________________


Test remote endpoint is not rate limited
Moderate
nickvergessen published GHSA-c7vq-m7f8-rx37 May 16, 2025

Package
Server (Nextcloud)

Affected versions
28.0.13, 29.0.10, 30.0.3
Patched versions
>= 28.0.0, >= 29.0.0, >= 30.0.0

Server (Nextcloud Enterprise)
Affected versions
28.0.13, 29.0.10, 30.0.3
Patched versions
>= 28.0.0, >= 29.0.0, >= 30.0.0


Description

Impact

An nowadays unused endpoint to verify a share recipient was not
protected correctly, allowing to proxy requests to another server.
The endpoint was removed.


Patches

It is recommended that the Nextcloud Server is upgraded to 28.0.13,
29.0.10 or 30.0.3
It is recommended that the Nextcloud Enterprise Server is upgraded
to 28.0.13, 29.0.10 or 30.0.3


Workarounds

    No workaround available


References

    PullRequest

For more information

If you have any questions or comments about this advisory:

    Create a post in nextcloud/security-advisories
    Customers: Open a support ticket at portal.nextcloud.com

Severity
Moderate
4.3/ 10

CVSS v3 base metrics
Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE ID
CVE-2025-47791

Weaknesses
CWE-918

_____________________________________________________________________


Insecure temporary file creation, race with write access and
permission
Low
nickvergessen published GHSA-q568-2933-gcjq May 16, 2025

Package
Enterprise Server (Nextcloud)

Affected versions
>= 26.0.0, >= 27.0.0, >= 28.0.0, >= 29.0.0, >= 30.0.0, >= 31.0.0

Patched versions
26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7, 31.0.1

Server (Nextcloud)
Affected versions
>= 29.0.0, >= 30.0.0, >= 31.0.0
Patched versions
29.0.13, 30.0.7, 31.0.1


Description

Impact

An attacker on a multi-user system may read temporary files from
Nextcloud running with a different user account, or run a symlink
attack.


Patches

It is recommended that the Nextcloud Server is upgraded to 29.0.13,
30.0.7 or 31.0.1
It is recommended that the Nextcloud Enterprise Server is upgraded
to 26.0.13.13, 27.1.11.13, 28.0.14.4, 29.0.13, 30.0.7 or 31.0.1


Workarounds

    No workaround available


References

    HackerOne
    PullRequest

For more information

If you have any questions or comments about this advisory:

    Create a post in nextcloud/security-advisories
    Customers: Open a support ticket at portal.nextcloud.com

Severity
Low
2.6/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

CVE ID
CVE-2025-47794

Weaknesses
CWE-284


Credits

    @hannob hannob Finder


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================