Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-48305

Date: November 21, 2023

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.11, 26.0.6, and 27.1.0 of Nextcloud Server and Nextcloud Enterprise Server, when the log level was set to debug, the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. Nextcloud Server and Nextcloud Enterprise Server versions 25.0.11, 26.0.6, and 27.1.0 contain a patch for this issue. As a workaround, change config setting "loglevel" to "1" or higher (should always be higher than 1 in production environments).

Language: PHP

Severity Score

Related Resources (6)

https://github.com/nextcloud/server/pull/40013
https://hackerone.com/reports/2101165
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-35p6-4992-w5fr
https://nvd.nist.gov/vuln/detail/CVE-2023-48305
https://github.com/nextcloud/server/issues/38461
https://www.mend.io/vulnerability-database/CVE-2023-48305

Severity Score

Weakness Type (CWE)

Cleartext Storage of Sensitive Information

CWE-312

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us