CVE-2018-16465 — Improper Authentication in Server

CWE-287 — Improper Authentication6 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 64.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server

Timeline

PublishedOct 30

Latest updateMay 13

Description

Missing state in Nextcloud Server prior to 14.0.0 would not enforce the use of a second factor at login if the the provider of the second factor failed to load.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server< 14.0.0

▶CVEListV5nextcloud/nextcloud_server<14.0.0

🔴Vulnerability Details

GHSA

GHSA-v76x-gvw2-m5rp: Missing state in Nextcloud Server prior to 14↗2022-05-13

▶

CVEList

CVE-2018-16465: Missing state in Nextcloud Server prior to 14↗2018-10-30

▶

💬Community

Bugzilla

CVE-2018-16465 nextcloud: Second factor authentication bypassed if provider fails to load↗2018-11-05

▶

Bugzilla

CVE-2018-16465 nextcloud: Second factor authentication bypassed if provider fails to load [epel-7]↗2018-11-05

▶

Bugzilla

CVE-2018-16465 nextcloud: Second factor authentication bypassed if provider fails to load [fedora-all]↗2018-11-05

▶