Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23944: Mail app temporarily stores cleartext password in database until OAuth2 setup is done

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user’s passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

CVE
#oauth#auth

Affected versions

< 2.2.2

Description

Impact

User’s password was stored in cleartext in the database during the duration of OAuth2 setup procedure.

Patches

It is recommended that the Nextcloud Mail app is upgraded to 2.2.2

Workarounds

  • No workaround available

References

  • HackerOne
  • PullRequest

For more information

If you have any questions or comments about this advisory:

  • Create a post in nextcloud/security-advisories
  • Customers: Open a support ticket at support.nextcloud.com

Severity

CVSS base metrics

User interaction

Required

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

Weaknesses

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907