CVE-2021-32802— Preview generation used third-party library not suited for user-generated content in Nextcloud server
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-32802
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Preview generation used third-party library not suited for user-generated content in Nextcloud server
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
从非可信控制范围包含功能例程
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nextcloud 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud 存在安全漏洞,该漏洞源于Nextcloud 服务器调用了不可信内容的第三方库。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| nextcloud | security-advisories | < 20.0.12 | - |
II. Public POCs for CVE-2021-32802
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-32802
请登录查看更多情报信息。
- https://hackerone.com/reports/1261413x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2021-32802
Same Patch Batch · nextcloud · 2021-09-07 · 9 CVEs total
| CVE-2021-32800 | 8.1 HIGH | Bypass of Two Factor Authentication in Nextcloud server |
| CVE-2021-37628 | 7.5 HIGH | File Drop can be bypassed using Richdocuments app in nextcloud |
| CVE-2021-37630 | 6.5 MEDIUM | Secret Circle can be joined without approval in Nextcloud Circles |
| CVE-2021-37631 | 6.5 MEDIUM | Circle can be accessed by non-Circle members in Nextcloud Deck |
| CVE-2021-32782 | 5.8 MEDIUM | Cross-Site Scripting in Nextcloud Circles |
| CVE-2021-32801 | 5.5 MEDIUM | Exceptions may have logged Encryption-at-Rest key content in Nextcloud server |
| CVE-2021-32766 | 5.3 MEDIUM | Nextcloud Text app can disclose existence of folders in "File Drop" link share |
| CVE-2021-37629 | 5.3 MEDIUM | Lack of ratelimit on Richdocuments OCS endpoint in nextcloud |
IV. Related Vulnerabilities
Same product: security-advisories
- CVE-2026-28272
Kiteworks Email Protection Gateway has a Cross-site Scriptin - CVE-2026-28271
Kiteworks Core is vulnerable to Server-Side Request Forgery - CVE-2026-28270
Kiteworks Core has an Unrestricted Upload of File with Dange - CVE-2026-28269
Kiteworks Core has an OS Command Injection - CVE-2025-66558
Nextcloud Twofactor WebAuthn app was updated based on public
Same vendor: nextcloud
- CVE-2025-66558
Nextcloud Twofactor WebAuthn app was updated based on public - CVE-2025-66556
Nextcloud talk allows participants to blindly delete poll dr - CVE-2025-66554
Nextcloud Contacts vulnerable to Stored XSS in contacts app - CVE-2025-66549
Nextcloud Desktop discloses information when attempting to l - CVE-2025-66545
Nextcloud Groupfolders users with read-only permissions for
Same weakness: CWE-829
- CVE-2026-45184
Kdenlive 26.04.1前代理参数注入漏洞 - CVE-2026-43571
OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Res - CVE-2026-43569
OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablem - CVE-2026-43003
OpenStack ironic-python-agent 安全漏洞 - CVE-2026-41396
OpenClaw < 2026.3.31 - Environment Variable Override of Plug
V. Comments for CVE-2021-32802
No comments yet