https://bugzilla.suse.com/show_bug.cgi?id=1214179 Bug ID: 1214179 Summary: VUL-0: CVE-2023-39963: nextcloud: missing password check allows attackers to add app passwords on compromised accounts Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: Other URL: https://smash.suse.de/issue/374999/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: carlos.lopez@suse.com QA Contact: security-team@suse.de Target Milestone: --- Found By: --- Blocker: --- CVE-2023-39963 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39963 https://www.cve.org/CVERecord?id=CVE-2023-39963 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4... https://github.com/nextcloud/server/pull/39416 https://hackerone.com/reports/2067572 -- You are receiving this mail because: You are on the CC list for the bug.