Bug ID 1214179
Summary VUL-0: CVE-2023-39963: nextcloud: missing password check allows attackers to add app passwords on compromised accounts
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/374999/
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee ecsos@schirra.net
Reporter carlos.lopez@suse.com
QA Contact security-team@suse.de
Target Milestone ---
Found By ---
Blocker --- 

CVE-2023-39963

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 20.0.0 and prior to versions 20.0.14.15,
21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a
missing password confirmation allowed an attacker, after successfully stealing
a
session from a logged in user, to create app passwords for the victim.
Nextcloud
server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server
versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9,
26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are
available.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39963
https://www.cve.org/CVERecord?id=CVE-2023-39963
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5
https://github.com/nextcloud/server/pull/39416
https://hackerone.com/reports/2067572

You are receiving this mail because: