Upstream information

CVE-2023-32318 at MITRE

Description

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having important severity.

CVSS v3 Scores
  National Vulnerability Database
Base Score 7.2
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Changed
Confidentiality Impact High
Integrity Impact High
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1211788 [NEW]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Fri May 26 22:02:09 2023
CVE page last modified: Mon May 29 12:11:05 2023