PT-2023-19314 · Nextcloud · Nextcloud Mail

Christophwurst

Published

2023-02-06

Updated

2023-02-14

CVE-2023-23944

CVSS v3.1

2.0

Low

Vector

AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Mail versions prior to 2.2.2

Description The issue concerns the storage of user passwords in cleartext in the database during the OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed.

Recommendations For versions prior to 2.2.2, upgrade the Nextcloud Mail app to 2.2.2 to resolve the issue. As a temporary workaround, consider restricting access to the database to minimize the risk of exploitation.

Exploit

Fix

Cleartext Storage of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312

Related Identifiers

CVE-2023-23944

GHSA-G86R-X755-93F4

Affected Products

Nextcloud Mail

PT-2023-19314 · Nextcloud · Nextcloud Mail

CVE-2023-23944

Weakness Enumeration

Related Identifiers

Affected Products

References · 7