Security update for nextcloud SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:0262-1 Final 1 1 2021-02-08T11:05:25Z current 2021-02-08T11:05:25Z 2021-02-08T11:05:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nextcloud This update for nextcloud fixes the following issues: - nextcloud was upgraded to version 20.0.7 - CVE-2020-8294: Fixed a missing link validation (boo#1181803) - CVE-2020-8295: Fixed a denial of service attack (boo#1181804) - CVE-2020-8293: Fixed an input validation issue (boo#1181445) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-262 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RL6T5BYT4RSAM4DNXPXTDKBKHKKNDVHW/ E-Mail link for openSUSE-SU-2021:0262-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1181445 SUSE Bug 1181445 https://bugzilla.suse.com/1181803 SUSE Bug 1181803 https://bugzilla.suse.com/1181804 SUSE Bug 1181804 https://www.suse.com/security/cve/CVE-2020-8293/ SUSE CVE CVE-2020-8293 page https://www.suse.com/security/cve/CVE-2020-8294/ SUSE CVE CVE-2020-8294 page https://www.suse.com/security/cve/CVE-2020-8295/ SUSE CVE CVE-2020-8295 page openSUSE Leap 15.2 nextcloud-20.0.7-lp152.3.6.1 nextcloud-apache-20.0.7-lp152.3.6.1 nextcloud-20.0.7-lp152.3.6.1 as a component of openSUSE Leap 15.2 nextcloud-apache-20.0.7-lp152.3.6.1 as a component of openSUSE Leap 15.2 A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules. CVE-2020-8293 openSUSE Leap 15.2:nextcloud-20.0.7-lp152.3.6.1 openSUSE Leap 15.2:nextcloud-apache-20.0.7-lp152.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RL6T5BYT4RSAM4DNXPXTDKBKHKKNDVHW/ https://www.suse.com/security/cve/CVE-2020-8293.html CVE-2020-8293 https://bugzilla.suse.com/1181445 SUSE Bug 1181445 A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format. CVE-2020-8294 openSUSE Leap 15.2:nextcloud-20.0.7-lp152.3.6.1 openSUSE Leap 15.2:nextcloud-apache-20.0.7-lp152.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RL6T5BYT4RSAM4DNXPXTDKBKHKKNDVHW/ https://www.suse.com/security/cve/CVE-2020-8294.html CVE-2020-8294 https://bugzilla.suse.com/1181803 SUSE Bug 1181803 A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user. CVE-2020-8295 openSUSE Leap 15.2:nextcloud-20.0.7-lp152.3.6.1 openSUSE Leap 15.2:nextcloud-apache-20.0.7-lp152.3.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/RL6T5BYT4RSAM4DNXPXTDKBKHKKNDVHW/ https://www.suse.com/security/cve/CVE-2020-8295.html CVE-2020-8295 https://bugzilla.suse.com/1181804 SUSE Bug 1181804