What app is this about, and its version: Nextcloud 31.0.11
What YunoHost version are you running: 12.1.36
What type of hardware are you using: Raspberry Pi 3, 4+

Describe your issue

Nextcloud with Memories seems to work, but
The Nextcloud Administrator-Setting throws some warnings I can not repair:
see error message->

what I did:
1.) no idea, diagnose is all ok
2.) search for files with .mjs,
found /etc/nginx/conf.d/apartmentskitzbuehel.at.d/nextcloud.conf

Set .mjs MIME types

Either include it in the default mime.types list

or include you can include that list explicitly and add the file extension

and include that list explicitly or add the file extension

only for Nextcloud like below:

include mime.types;
types {
text/javascript mjs;
}
isnt it?..

3.) search for files with /.well-known/webfinger,
found /etc/nginx/conf.d/apartmentskitzbuehel.at.d/nextcloud.conf

location ^~ /.well-known {

The following 6 rules are borrowed from .htaccess

The following 2 rules are only needed for the user_webfinger app.

Uncomment it if you’re planning to use this app.

#rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;
#rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;

location = /.well-known/carddav { return 301 /nextcloud/remote.php/dav/; }
location = /.well-known/caldav { return 301 /nextcloud/remote.php/dav/; }

location = /.well-known/webfinger { return 301 /nextcloud/index.php$request_uri; }
location = /.well-known/nodeinfo { return 301 /nextcloud/index.php$request_uri; }

Let Nextcloud’s API for /.well-known URIs handle all other

requests by passing them to the front-end controller.

return 301 /nextcloud/index.php$request_uri;
}

to test I removed the # in front of the rewrites, → but no change in error-message
(nota bene: in two other yunohost-nextclouds these lines were commented out as above as well but no such message from nextcloud!)

same with :X-Robots-Tag ist nicht auf noindex,nofollow gesetzt:
found: /etc/nginx/conf.d/apartmentskitzbuehel.at.d/nextcloud.conf,
that shows: (-> see line 7 exactly as it should be?)

HTTP response headers borrowed from Nextcloud .htaccess

more_set_headers “Referrer-Policy: no-referrer”;
more_set_headers “X-Content-Type-Options: nosniff”;
more_set_headers “X-Download-Options: noopen”;
more_set_headers “X-Frame-Options: SAMEORIGIN”;
more_set_headers “X-Permitted-Cross-Domain-Policies: none”;
more_set_headers “X-Robots-Tag: noindex, nofollow”;
more_set_headers “X-XSS-Protection: 1; mode=block”;

Question: what to change where?
(a new install of bookworm and restore of a full backup ended with error and was not usable- too big? 290GB, raspi5B8GB)
many thanks for any help
Bruno

Share relevant logs or error messages

"Es gibt einige Fehler in der Systemkonfiguration.
1.) Der Webserver ist noch nicht hinreichend für Datei-Synchronisierung konfiguriert, da die WebDAV-Schnittstelle vermutlich nicht funktioniert. Damit diese Prüfung ausgeführt werden kann, muß sichergestellt sein, dass der Webserver eine Verbindung zu sich selbst herstellen kann. Daher muss er in der Lage sein, mindestens eine seiner trusted_domains oder overwrite.cli.url aufzulösen und eine Verbindung zu ihnen herzustellen. Dieser Fehler kann das Ergebnis einer serverseitigen DNS-Nichtübereinstimmung oder einer ausgehenden Firewall-Regel sein.

2.) Der Webserver liefert .mjs-Dateien nicht mit dem JavaScript MIME-Typ. Dadurch werden einige Apps beeinträchtigt, da Browser die JavaScript-Dateien nicht ausführen können. Den Webserver so konfigurieren, dass er .mjs-Dateien entweder mit dem MIME-Typ text/javascript oder application/javascript ausliefert.

3.) Der Webserver ist nicht ordnungsgemäß für die Auflösung von .well-known-URLs eingerichtet. Fehler bei: /.well-known/webfinger Weitere Informationen findest du in der Dokumentation .
Einige Header sind in deiner Instanz nicht richtig eingestellt - Der HTTP-Header X-Robots-Tag ist nicht auf noindex,nofollow gesetzt. Dies stellt ein potenzielles Sicherheits- oder Datenschutzrisiko dar und es wird empfohlen, diese Einstellung zu ändern. - Der HTTP-Header Referrer-Policy ist nicht auf “no-referrer”, “no-referrer-when-downgrade”, “strict-origin”, “strict-origin-when-cross-origin” oder “same-origin” gesetzt. Dadurch können Verweisinformationen preisgegeben werden. Siehe die W3C Recommendation. Weitere Informationen findest du in der Dokumentation .

Subject: Multiple security vulnerabilities in Nextcloud — update strongly recommended

Affected Versions

Nextcloud Server versions prior to 31.0.10 / 32.0.1 are affected by some of the issues.

Nextcloud Server versions prior to 31.0.12 / 32.0.3 are affected by SVG sanitization bug.

Group-folder quota bypass affects Nextcloud Server versions prior to 30.0.2, 29.0.9, 28.0.1 (and related Groupfolders app versions).

(If you use YunoHost’s packaged version of Nextcloud — verify the installed version against the above thresholds.)

Vulnerabilities Summary

CVE-2025-66510 Data leakage / unauthorized access Authenticated users could retrieve personal data (emails, names, identifiers) of other users — even those not in their contacts.

CVE-2025-66512 Content-security bypass / XSS-style risk Insufficient sanitization of uploaded/viewed SVG images allows a malicious user to bypass content security policy protections.

CVE-2025-47793 Quota bypass / resource exhaustion / abuse In multi-user group folder setups, users could upload attachments to bypass folder quota limits — enabling overuse of storage beyond intended quotas.

Additional vulnerabilities (e.g. SSRF, improper share-recipient endpoint) Confidentiality / integrity / server integrity risks Other issues documented include insecure share-recipient verification endpoint (SSRF risk) in versions prior to 28.0.13, 29.0.10, 30.0.3.

**Overall risk: Data confidentiality and integrity, content security policies, and storage quota enforcement are potentially compromised. Administrative disclosure from CERT-FR lists “data confidentiality breach, data integrity compromise, remote code-injection (XSS)” among the possible impacts.
Recommended Mitigations / Actions

Upgrade Nextcloud to a patched version — ideally to at least 31.0.10, or better 31.0.12 / 32.0.3 (or latest stable) depending on your branch.

For instances where upgrade is delayed: limit or disable SVG uploads or disable public/untrusted uploads; restrict who can upload or share files.

Audit your shared folders / group-folder quota settings; verify that users cannot circumvent quotas by attaching data to text files or using quota-bypassing methods.

After upgrade, clear caches, and consider forcing logout of all users to invalidate old sessions (especially if you were affected by session- or authentication-related vulnerabilities).

Review access logs and sharing settings for abnormal account-discovery or data-exposure attempts (in light of data-leak vulnerabilities).

Notes Specific to YunoHost Deployments

Some users report difficulties when upgrading Nextcloud via YunoHost (e.g. failed upgrade scripts, “Internal Server Error” in web UI) after version bumps.

When performing the upgrade on YunoHost, be sure to:

Put Nextcloud into maintenance mode.

Use the YunoHost CLI (yunohost app upgrade) rather than the web updater, when possible.

After upgrade, verify that all services (web, PHP-FPM, cron jobs) are restarted properly.

If you use additional apps (e.g. Groupfolders, third-party apps), check their compatibility with the new Nextcloud version.

Sources CVE && CERT-FR

I am using the version Nextcloud 31.0.11 how to update to the latest version, while it is not yet offered "yunohost/admin/#/update"?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.