Uhm, hate to ask

So, in general I’m pretty happy with my self-hosted implementation of NextCloud 26, and if I understand this correctly, it looks like it’s a 2FA bypass - i.e. the assailant would have to have a username and password already, but can bypass TOTP with this vulnerability…so it’s not exactly a no-password, SQL-injection sort of a deal, which, while still a concern, isn’t like the Sonicwall VPN drama that happened in November that made my life miserable…

…but as much as I hate to be ‘that guy’…upgrading from version 26 has been in the talking stages for nearly 7 months now…but since the drive failure situation has been mostly-resolved, is it possible for the self-hosted iteration to get to a currently supported release? Is there some area where an additional set of hands would be able to assist in moving the ball forward on these updates?

Thanks!

3 Likes

I’ll be the one to say it: No one should run such an old, unsupported, and non-secure version of Nextcloud.

You mention only one vulnerability, but there could be many more. Running this software puts your data at risk of erasure and unwanted access.

1 Like