CVE-2023-45151
6.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | >= 25.0.0, < 25.0.8 | affected |
| nextcloud | security-advisories | >= 26.0.0, < 26.0.3 | affected |
| nextcloud | security-advisories | >= 27.0.0, < 27.0.1 | affected |
Weaknesses
- CWE-312: CWE-312: Cleartext Storage of Sensitive Information
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
- https://github.com/nextcloud/server/pull/38398
- https://hackerone.com/reports/1994324
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
- https://github.com/nextcloud/server/pull/38398
- https://hackerone.com/reports/1994324
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.