CVE-2024-22403

CVSS v3.1

3.0

Low

Vector

AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 28.0.0

Description The issue concerns the expiration of OAuth codes in Nextcloud Server, a self-hosted personal cloud system. In affected versions, OAuth codes did not expire, allowing an attacker who gains access to an authorization code to authenticate at any time using the code. To exploit this, an attacker would need to intercept an OAuth code from a user session. As of version 28.0.0, OAuth codes are invalidated after 10 minutes and will no longer be authenticated.

Recommendations For versions prior to 28.0.0, it is recommended to upgrade the Nextcloud Server to 28.0.0, as there are no known workarounds for this issue.

Exploit

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

ALT-PU-2024-10161

ALT-PU-2024-14145

ALT-PU-2024-14169

ALT-PU-2024-7291

ALT-PU-2025-1855

BDU:2024-00723

CVE-2024-22403

GHSA-WPPC-F5G8-VX36

Affected Products

Alt Linux

Nextcloud Server

Red Os

CVE-2024-22403

Weakness Enumeration

Related Identifiers

Affected Products

References · 15