CVE-2023-28848
published 2023-04-04CVE-2023-28848: user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively…
PriorityP426medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
0.33%
25.0th percentile
user_oidc is the OIDC connect user backend for Nextcloud, an open source collaboration platform. A vulnerability in versions 1.0.0 until 1.3.0 effectively allowed an attacker to bypass the state protection as they could just copy the expected state token from the first request to their second request. Users should upgrade user_oidc to 1.3.0 to receive a patch for the issue. No known workarounds are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | security-advisories | — | — |
| nextcloud | user_oidc | >= 1.0.0 < 1.3.0 | 1.3.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7fhttps://github.com/nextcloud/user_oidc/pull/580https://hackerone.com/reports/1878381https://github.com/nextcloud/security-advisories/security/advisories/GHSA-52hv-xw32-wf7fhttps://github.com/nextcloud/user_oidc/pull/580https://hackerone.com/reports/1878381
2023-04-04
Published