Home > Vulnerability Database > CVE-2023-39963

Mend.io Vulnerability Database

CVE-2023-39963

Good to know:

Date: August 10, 2023

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Language: PHP

Severity Score

7.8

Related Resources (5)

Url: https://github.com/nextcloud/server/pull/39416

Url: https://hackerone.com/reports/2067572

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-39963

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5

Url: https://www.mend.io/vulnerability-database/CVE-2023-39963

Severity Score

7.8

Weakness Type (CWE)

Improper Access Control

CWE-284

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version v25.0.9,v26.0.4,v27.0.1

Learn More

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-39963

Good to know:

Date: August 10, 2023

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?