So, in general I’m pretty happy with my self-hosted implementation of NextCloud 26, and if I understand this correctly, it looks like it’s a 2FA bypass - i.e. the assailant would have to have a username and password already, but can bypass TOTP with this vulnerability…so it’s not exactly a no-password, SQL-injection sort of a deal, which, while still a concern, isn’t like the Sonicwall VPN drama that happened in November that made my life miserable…
…but as much as I hate to be ‘that guy’…upgrading from version 26 has been in the talking stages for nearly 7 months now…but since the drive failure situation has been mostly-resolved, is it possible for the self-hosted iteration to get to a currently supported release? Is there some area where an additional set of hands would be able to assist in moving the ball forward on these updates?
Thanks!