CVE-2020-8236 — Improper Authentication in Server

CWE-287 — Improper Authentication3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 76.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server

Timeline

PublishedNov 2

Latest updateMay 24

Description

A wrong configuration in Nextcloud Server 19.0.1 incorrectly made the user feel the passwordless WebAuthn is also a two factor verification by asking for the PIN of the passwordless WebAuthn but not verifying it.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server< 19.0.2

▶CVEListV5nextcloud/nextcloud_server19.0.2

🔴Vulnerability Details

GHSA

GHSA-mwjc-vmmg-j6vm: A wrong configuration in Nextcloud Server 19↗2022-05-24

▶

CVEList

CVE-2020-8236: A wrong configuration in Nextcloud Server 19↗2020-10-30

▶