PT-2023-8428 · Nextcloud+1 · Nextcloud Text+2

Nickvergessen

Publicado

2023-05-26

Atualizado

2025-01-24

CVE-2023-32318

CVSS v3.1

7.2

Alta

Vetor

AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 25.0.6 Nextcloud Server versions prior to 26.0.1

Description A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account, the previous session would be continued and the attacker would be authenticated as the previously logged in user. This issue is related to incorrect session expiration.

Recommendations For Nextcloud Server versions prior to 25.0.6, upgrade to 25.0.6 to resolve the issue. For Nextcloud Server versions prior to 26.0.1, upgrade to 26.0.1 to resolve the issue. As a temporary workaround, consider clearing cookies manually after logout to prevent session continuation.

Exploit

Correção

Insufficient Session Expiration

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-613

Identificadores relacionados

ALT-PU-2023-2009

ALT-PU-2023-7785

ALT-PU-2025-1855

BDU:2024-00712

CVE-2023-32318

GHSA-Q8C4-CHPJ-6V38

Produtos afetados

Alt Linux

Nextcloud Server

Nextcloud Text

PT-2023-8428 · Nextcloud+1 · Nextcloud Text+2

CVE-2023-32318

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7