nextcloud 29.0.5
vuln: session hijacking
observation:
During the security testing, it was observed that the Nextcloud server is vulnerable to session hijacking. By copying the session cookies from a logged-in browser session and pasting them into another browser, it was possible to bypass the authentication process and gain access to the account without re-entering credentials.
Or, you could use external identity and authentication providers, which may have some of these settings configured by default and/or offer additional security mechanisms.
However, these solutions do not magically make your web applications more secure, or rather it depends on how they are configured. And they add additional complexity to your setup, which in turn makes them prone to misconfiguration if you don’t know exactly what you’re doing.
Also, as @jtr said, if someone gets local access to a client, for example through malware, there is only so much you can do on the server side, so of course endpoint protection and educating your users is just as important as hardening your servers, or in some cases even more important, as most “hacks” still happen because users install malicious software on their clients, or by simple phishing attacks.