CVE-2023-23944

Nexcloud Mail app temporarily stores cleartext password in database

CVSS 2 LOWEPSS 0.5%CWE-312

Vexday Risk Score

8Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 2EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

06 feb 2023Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Productos afectados

nextcloud · security-advisories

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/nextcloud/mail/pull/7797 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g86r-x755-93f4 https://hackerone.com/reports/1806275