Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.
History

Fri, 11 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-08-10T17:26:30.163Z

Updated: 2024-10-10T17:53:05.396Z

Reserved: 2023-08-07T16:27:27.076Z

Link: CVE-2023-39963

cve-icon Vulnrichment

Updated: 2024-08-02T18:18:10.175Z

cve-icon NVD

Status : Modified

Published: 2023-08-10T18:15:10.813

Modified: 2024-11-21T08:16:07.890

Link: CVE-2023-39963

cve-icon Redhat

No data.