Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-32318

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.

Published

2023-05-26T18:15:13.930

Last Modified

2024-11-21T08:03:06.160

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

Weaknesses

Type: Secondary
CWE-613
Type: Primary
CWE-613

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 25.0.6	Yes
Application	nextcloud	nextcloud_server	< 25.0.6	Yes
Application	nextcloud	nextcloud_server	26.0.0	Yes
Application	nextcloud	nextcloud_server	26.0.0	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38 Vendor Advisory ([email protected])
https://github.com/nextcloud/text/pull/3946 Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/text/pull/3946 Patch (af854a3a-2127-422b-91ae-364da2661108)