CVE-2023-39953

Name of the Vulnerable Software and Affected Versions user oidc versions 1.0.0 through 1.3.2

Description The issue is related to the missing verification of the issuer in the user oidc module for Nextcloud, allowing an attacker to perform a man-in-the-middle attack by returning corrupted or known tokens they have access to.

Recommendations For versions prior to 1.3.3, update to version 1.3.3, which contains a patch for the issue. As a temporary workaround, consider restricting access to the OIDC connect user backend until the patch is applied.