CVE-2024-37313

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 26.0.13, 27.1.8, and 28.0.4 Nextcloud Enterprise Server versions prior to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8, and 28.0.4

Description The issue is related to a flaw in the authentication procedure of Nextcloud Server and Nextcloud Enterprise Server, which can allow a remote attacker to bypass the second factor of 2FA after successfully providing user credentials.

Recommendations For Nextcloud Server versions prior to 26.0.13, upgrade to version 26.0.13 or later. For Nextcloud Server versions prior to 27.1.8, upgrade to version 27.1.8 or later. For Nextcloud Server versions prior to 28.0.4, upgrade to version 28.0.4 or later. For Nextcloud Enterprise Server versions prior to 21.0.9.17, upgrade to version 21.0.9.17 or later. For Nextcloud Enterprise Server versions prior to 22.2.10.22, upgrade to version 22.2.10.22 or later. For Nextcloud Enterprise Server versions prior to 23.0.12.17, upgrade to version 23.0.12.17 or later. For Nextcloud Enterprise Server versions prior to 24.0.12.13, upgrade to version 24.0.12.13 or later. For Nextcloud Enterprise Server versions prior to 25.0.13.8, upgrade to version 25.0.13.8 or later. For Nextcloud Enterprise Server versions prior to 26.0.13, upgrade to version 26.0.13 or later. For Nextcloud Enterprise Server versions prior to 27.1.8, upgrade to version 27.1.8 or later. For Nextcloud Enterprise Server versions prior to 28.0.4, upgrade to version 28.0.4 or later.