--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Vulnerabilities in Nextcloud Products' number: '2024-061' version: '1.0' original_date: 'June 14, 2024' date: 'June 18, 2024' --- _History:_ * _18/06/2024 --- v1.0 -- Initial publication_ # Summary On June 14, 2024, Nextcloud released patches for Nextcloud Server and Enterprise Server. A vulnerability was disclosed in Nextcloud server products that allows the bypassing of the second factor of two-factor authentication (2FA) [1,2]. # Technical Details The vulnerability **CVE-2024-37313**, with a CVSS score of 7.3, is a 2FA bypass issue. Under certain circumstances, an attacker could exploit this vulnerability to bypass the second factor of 2FA after successfully providing the user credentials [1]. # Affected Products Patched versions of the products are listed below [1,3]. - Nextcloud Server: Versions 26.0.13, 27.1.8 and 28.0.4. - Nextcloud Enterprise Server: Versions 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 and 28.0.4. # Recommendations CERT-EU strongly recommends updating affected software to the latest versions by following the instructions given by the vendor [1]. # References [1] [2] [3]