PT-2023-22005 · Nextcloud · User Oidc

Mikaelgundersen

Published

2023-04-04

Updated

2023-04-10

CVE-2023-28848

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions user oidc versions 1.0.0 through 1.3.0

Description A vulnerability in user oidc, the OIDC connect user backend for Nextcloud, an open source collaboration platform, allowed an attacker to bypass the state protection. This was possible because an attacker could copy the expected state token from the first request to their second request.

Recommendations For versions 1.0.0 through 1.3.0, upgrade user oidc to version 1.3.0 to receive a patch for the issue.

Exploit

Fix

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-352

Related Identifiers

CVE-2023-28848

GHSA-52HV-XW32-WF7F

Affected Products

User Oidc

PT-2023-22005 · Nextcloud · User Oidc

CVE-2023-28848

Weakness Enumeration

Related Identifiers

Affected Products

References · 7