The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3. https://github.com/nextcloud/notes/pull/1260 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wfqv-cx85-7rjx https://hackerone.com/reports/2254151 Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2. https://github.com/nextcloud/calendar/pull/5966 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf https://hackerone.com/reports/2457588 Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5mq8-738w-5942 https://github.com/nextcloud/server/pull/43727 https://hackerone.com/reports/1356508
Created nextcloud tracking bugs for this issue: Affects: fedora-all [bug 2292850] Created nextcloud-client tracking bugs for this issue: Affects: epel-all [bug 2292846] Affects: fedora-all [bug 2292845] Created nextcloud:23/nextcloud tracking bugs for this issue: Affects: epel-all [bug 2292847] Created nextcloud:24/nextcloud tracking bugs for this issue: Affects: epel-all [bug 2292848] Created nextcloud:nextcloud-22/nextcloud tracking bugs for this issue: Affects: epel-all [bug 2292849]