Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for group_folders by nextcloud

    CVE-2025-66545 (GCVE-0-2025-66545)

    Vulnerability from nvd – Published: 2025-12-05 17:44 – Updated: 2025-12-08 19:55
    VLAI
    Title
    Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin
    Summary
    Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-707 - Improper Neutralization
    Assigner
    Impacted products
    Vendor Product Version
    nextcloud security-advisories Affected: < 14.0.11
    Affected: >= 15.0.0-beta1, < 15.3.12
    Affected: >= 16.0.0, < 16.0.15
    Affected: >= 17.0.0-beta.1, < 17.0.14
    Affected: >= 18.0.0-beta.1, < 18.1.8
    Affected: >= 19.0.0-alpha.1, < 19.1.8
    Affected: >= 20.0.0, < 20.1.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66545",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T19:55:07.172366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T19:55:13.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "security-advisories",
              "vendor": "nextcloud",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 14.0.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 15.0.0-beta1, \u003c 15.3.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0, \u003c 16.0.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-beta.1, \u003c 17.0.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-beta.1, \u003c 18.1.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-alpha.1, \u003c 19.1.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0, \u003c 20.1.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-707",
                  "description": "CWE-707: Improper Neutralization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-05T17:44:13.312Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/issues/4041",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/issues/4041"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/pull/4076",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/pull/4076"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58"
            }
          ],
          "source": {
            "advisory": "GHSA-2vrq-fhmf-c49m",
            "discovery": "UNKNOWN"
          },
          "title": "Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66545",
        "datePublished": "2025-12-05T17:44:13.312Z",
        "dateReserved": "2025-12-04T15:52:26.549Z",
        "dateUpdated": "2025-12-08T19:55:13.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47793 (GCVE-0-2025-47793)

    Vulnerability from nvd – Published: 2025-05-16 14:31 – Updated: 2025-05-16 14:49
    VLAI
    Title
    Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file
    Summary
    Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, Nextcloud Enterprise Server versions 30.0.2, 29.0.9, or 28.0.12, and Nextcloud Groupfolders app 18.0.3, 17.0.5, and 16.0.11 fix the issue. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    nextcloud security-advisories Affected: >= 30.0.0, < 30.0.2
    Affected: >= 29.0.0, < 29.0.9
    Affected: >= 28.0.0, < 28.0.12
    Affected: >= 18.0.0, < 18.0.3
    Affected: >= 17.0.0, < 17.0.5
    Affected: >= 16.0.0, < 16.0.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47793",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T14:49:00.953580Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-16T14:49:07.567Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "security-advisories",
              "vendor": "nextcloud",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 30.0.0, \u003c 30.0.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 29.0.0, \u003c 29.0.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 28.0.0, \u003c 28.0.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0, \u003c 18.0.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0, \u003c 17.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0, \u003c 16.0.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, Nextcloud Enterprise Server versions 30.0.2, 29.0.9, or 28.0.12, and Nextcloud Groupfolders app 18.0.3, 17.0.5, and 16.0.11 fix the issue. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-16T14:31:50.742Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgg-hhfq-vhww",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgg-hhfq-vhww"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/pull/3328",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/pull/3328"
            },
            {
              "name": "https://github.com/nextcloud/server/pull/48623",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/server/pull/48623"
            },
            {
              "name": "https://hackerone.com/reports/2713272",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/2713272"
            }
          ],
          "source": {
            "advisory": "GHSA-qqgg-hhfq-vhww",
            "discovery": "UNKNOWN"
          },
          "title": "Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47793",
        "datePublished": "2025-05-16T14:31:50.742Z",
        "dateReserved": "2025-05-09T19:49:35.622Z",
        "dateUpdated": "2025-05-16T14:49:07.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8153 (GCVE-0-2020-8153)

    Vulnerability from nvd – Published: 2020-05-12 13:01 – Updated: 2024-08-04 09:48
    VLAI
    Summary
    Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.
    Severity
    No CVSS data available.
    CWE
    • CWE-284 - Improper Access Control - Generic (CWE-284)
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Nextcloud Groupfolders Affected: 4.0.4
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:48:25.662Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/642515"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017"
              },
              {
                "name": "FEDORA-2020-c9863904de",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nextcloud Groupfolders",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control - Generic (CWE-284)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-19T18:06:22.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/642515"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017"
            },
            {
              "name": "FEDORA-2020-c9863904de",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2020-8153",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nextcloud Groupfolders",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.0.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control - Generic (CWE-284)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/642515",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/642515"
                },
                {
                  "name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017",
                  "refsource": "MISC",
                  "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017"
                },
                {
                  "name": "FEDORA-2020-c9863904de",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2020-8153",
        "datePublished": "2020-05-12T13:01:33.000Z",
        "dateReserved": "2020-01-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T09:48:25.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-66545 (GCVE-0-2025-66545)

    Vulnerability from cvelistv5 – Published: 2025-12-05 17:44 – Updated: 2025-12-08 19:55
    VLAI
    Title
    Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin
    Summary
    Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-707 - Improper Neutralization
    Assigner
    Impacted products
    Vendor Product Version
    nextcloud security-advisories Affected: < 14.0.11
    Affected: >= 15.0.0-beta1, < 15.3.12
    Affected: >= 16.0.0, < 16.0.15
    Affected: >= 17.0.0-beta.1, < 17.0.14
    Affected: >= 18.0.0-beta.1, < 18.1.8
    Affected: >= 19.0.0-alpha.1, < 19.1.8
    Affected: >= 20.0.0, < 20.1.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66545",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-12-08T19:55:07.172366Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-08T19:55:13.290Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "security-advisories",
              "vendor": "nextcloud",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 14.0.11"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 15.0.0-beta1, \u003c 15.3.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0, \u003c 16.0.15"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0-beta.1, \u003c 17.0.14"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0-beta.1, \u003c 18.1.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 19.0.0-alpha.1, \u003c 19.1.8"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 20.0.0, \u003c 20.1.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-707",
                  "description": "CWE-707: Improper Neutralization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-12-05T17:44:13.312Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/issues/4041",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/issues/4041"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/pull/4076",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/pull/4076"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58"
            }
          ],
          "source": {
            "advisory": "GHSA-2vrq-fhmf-c49m",
            "discovery": "UNKNOWN"
          },
          "title": "Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66545",
        "datePublished": "2025-12-05T17:44:13.312Z",
        "dateReserved": "2025-12-04T15:52:26.549Z",
        "dateUpdated": "2025-12-08T19:55:13.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-47793 (GCVE-0-2025-47793)

    Vulnerability from cvelistv5 – Published: 2025-05-16 14:31 – Updated: 2025-05-16 14:49
    VLAI
    Title
    Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file
    Summary
    Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, Nextcloud Enterprise Server versions 30.0.2, 29.0.9, or 28.0.12, and Nextcloud Groupfolders app 18.0.3, 17.0.5, and 16.0.11 fix the issue. No known workarounds are available.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    Impacted products
    Vendor Product Version
    nextcloud security-advisories Affected: >= 30.0.0, < 30.0.2
    Affected: >= 29.0.0, < 29.0.9
    Affected: >= 28.0.0, < 28.0.12
    Affected: >= 18.0.0, < 18.0.3
    Affected: >= 17.0.0, < 17.0.5
    Affected: >= 16.0.0, < 16.0.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-47793",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T14:49:00.953580Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-16T14:49:07.567Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "security-advisories",
              "vendor": "nextcloud",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 30.0.0, \u003c 30.0.2"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 29.0.0, \u003c 29.0.9"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 28.0.0, \u003c 28.0.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 18.0.0, \u003c 18.0.3"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 17.0.0, \u003c 17.0.5"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 16.0.0, \u003c 16.0.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, Nextcloud Enterprise Server versions 30.0.2, 29.0.9, or 28.0.12, and Nextcloud Groupfolders app 18.0.3, 17.0.5, and 16.0.11 fix the issue. No known workarounds are available."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-770",
                  "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-16T14:31:50.742Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgg-hhfq-vhww",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qqgg-hhfq-vhww"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/pull/3328",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/groupfolders/pull/3328"
            },
            {
              "name": "https://github.com/nextcloud/server/pull/48623",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nextcloud/server/pull/48623"
            },
            {
              "name": "https://hackerone.com/reports/2713272",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/2713272"
            }
          ],
          "source": {
            "advisory": "GHSA-qqgg-hhfq-vhww",
            "discovery": "UNKNOWN"
          },
          "title": "Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-47793",
        "datePublished": "2025-05-16T14:31:50.742Z",
        "dateReserved": "2025-05-09T19:49:35.622Z",
        "dateUpdated": "2025-05-16T14:49:07.567Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-8153 (GCVE-0-2020-8153)

    Vulnerability from cvelistv5 – Published: 2020-05-12 13:01 – Updated: 2024-08-04 09:48
    VLAI
    Summary
    Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.
    Severity
    No CVSS data available.
    CWE
    • CWE-284 - Improper Access Control - Generic (CWE-284)
    Assigner
    References
    Impacted products
    Vendor Product Version
    n/a Nextcloud Groupfolders Affected: 4.0.4
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T09:48:25.662Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/642515"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017"
              },
              {
                "name": "FEDORA-2020-c9863904de",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_FEDORA",
                  "x_transferred"
                ],
                "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Nextcloud Groupfolders",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0.4"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Control - Generic (CWE-284)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-19T18:06:22.000Z",
            "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
            "shortName": "hackerone"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://hackerone.com/reports/642515"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017"
            },
            {
              "name": "FEDORA-2020-c9863904de",
              "tags": [
                "vendor-advisory",
                "x_refsource_FEDORA"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "support@hackerone.com",
              "ID": "CVE-2020-8153",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Nextcloud Groupfolders",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "4.0.4"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "Improper Access Control - Generic (CWE-284)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://hackerone.com/reports/642515",
                  "refsource": "MISC",
                  "url": "https://hackerone.com/reports/642515"
                },
                {
                  "name": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017",
                  "refsource": "MISC",
                  "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2020-017"
                },
                {
                  "name": "FEDORA-2020-c9863904de",
                  "refsource": "FEDORA",
                  "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KC6HLX5SG4PZO6Y54D2LFJ4ATG76BKOP/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "assignerShortName": "hackerone",
        "cveId": "CVE-2020-8153",
        "datePublished": "2020-05-12T13:01:33.000Z",
        "dateReserved": "2020-01-28T00:00:00.000Z",
        "dateUpdated": "2024-08-04T09:48:25.662Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }