CVE-2023-45151

Nextcloud server is an open source home cloud platform. Affected versions of Nextcloud stored OAuth2 tokens in plaintext which allows an attacker who has gained access to the server to potentially elevate their privilege. This issue has been addressed and users are recommended to upgrade their Nextcloud Server to version 25.0.8, 26.0.3 or 27.0.1. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.8
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.8
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.3
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.3
nextcloudnextcloud_server
27.0.0
nextcloudnextcloud_server
27.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
https://github.com/nextcloud/server/pull/38398
https://hackerone.com/reports/1994324
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhgv-jcg9-p4m9
https://github.com/nextcloud/server/pull/38398
https://hackerone.com/reports/1994324