Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28848

user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.

Published

2023-04-04T13:15:08.797

Last Modified

2024-11-21T07:56:09.070

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	user_oidc	< 1.3.0	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f Vendor Advisory ([email protected])
https://github.com/nextcloud/user_oidc/pull/580 Patch, Vendor Advisory ([email protected])
https://hackerone.com/reports/1878381 Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7f Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/user_oidc/pull/580 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1878381 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)