From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Title: Global credentials of external storages are sent back to the frontend - Reporter: nickvergessen - Published Date: Yesterday - Severity: Moderate - CVSS v3 Base Metrics: - Attack Vector: Physical - Attack Complexity: High - Privileges Required: High - User Interaction: Required - Scope: Changed - Confidentiality: High - Integrity: None - Availability: None 2. Affected Versions: - Nextcloud Server: - >= 28.0.0, >= 29.0.0, >= 30.0.0 - Nextcloud Enterprise Server: - >= 25.0.0, >= 26.0.0, >= 27.0.0, >= 28.0.0, >= 29.0.0, >= 30.0.0 3. Fixed Versions: - Nextcloud Server: - 28.0.11, 29.0.8, 30.0.1 - Nextcloud Enterprise Server: - 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8, 30.0.1 4. Impact: - After storing "global credentials", the API returns them and adds them to the frontend, allowing an attacker to read them in plaintext during an active session of an authenticated user. 5. Patch Recommendation: - Upgrade to the following versions: - Nextcloud Server: 28.0.11, 29.0.8, 30.0.1 - Nextcloud Enterprise Server: 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8, 30.0.1 6. Workarounds: - No workarounds are available. 7. References: - Reporter: Bundesamt für Sicherheit in der Informationstechnik (BSI) - HackerOne - PullRequest 8. Additional Information: - For any questions or comments, create a post in nextcloud/security-advisories. - Clients: Open a support ticket at portal.nextcloud.com. This information helps understand the nature, scope of impact, and how to remediate and prevent the vulnerability.