CVE-2023-23944Cleartext Storage of Sensitive Info in Security-advisories

CWE-312Cleartext Storage of Sensitive Info2 documents2 sources
Severity
6.5MEDIUMNVD
CNA2.0
EPSS
0.2%
top 53.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Mail
Timeline
PublishedFeb 6

Description

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/mail< 2.2.2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nexcloud Mail app temporarily stores cleartext password in database2023-02-06
CVE-2023-23944 — Cleartext Storage of Sensitive Info | cvebase