User scoped external storage can be used to gather credentials of other users
Package
Server
(Nextcloud)
Affected versions
>= 25.0.0, >= 26.0.0
Patched versions
25.0.7, 26.0.2
Server
(Nextcloud Enterprise)
>= 19.0.0 >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0, >= 26.0.0
19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, 26.0.2
Impact
A user could use this functionality to get access to the login credentials of another user and take over their account.
Patches
It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 or 26.0.2
Workarounds
3 Workarounds are available:
…/index.php/settings/admin/externalstorages
…/index.php/settings/admin/externalstorages
with the following types:References
For more information
If you have any questions or comments about this advisory: