Alert!

Nextcloud: Attackers can bypass two-factor authentication

The cloud service software Nextcloud is vulnerable. The developers have closed several security gaps in current versions.

(Image: ZinetroN/Shutterstock.com)

Jun 17, 2024 at 2:33 pm CEST

2 min. read

Security

By

Dennis Schirrmacher

If you operate your own cloud with Nextcloud, you should update your server. Otherwise, attacks are possible and attackers can gain access.

Several software vulnerabilities

The cloud software provider has closed a total of twelve security vulnerabilities. In addition to Nextcloud Server and Nextcloud Enterprise Server, certain components such as the calendar are also at risk.

The majority of vulnerabilities are classified as"medium" threat level. After successful attacks, attackers can manipulate calendar entries and direct victims to a website they control, among other things.

Read also

Wie Sie eine frische Nextcloud einrichten

Paris update: Nextcloud Talk now with desktop client and AI

Stylized image: Computer under clouds with protective shields and viruses

Security vulnerabilities in Nextcloud: Attackers can intercept emails

Nextcloud Hub 9: Decentralized video calls without links or guest accounts

Back to basics, please! A comment on Nextcloud

Two vulnerabilities in Nextcloud and Nextcloud Enterprise are considered the most dangerous. At these points, attackers can extend the rights of shares (CVE-2024-37882"high") or bypass two-factor authentication (CVE-2024-37313"high"). The developers do not currently specify how such attacks could take place.

Because a list of the threatened and repaired versions would go beyond the scope of this message, admins must read this information in the linked warning posts.

List sorted by threat level in descending order: