CVE-2023-32318

CWE-613 — Insufficient Session Expiration2 documents2 sources

Severity

6.7MEDIUM

EPSS

0.1%

top 78.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Server Nextcloud Security-advisories

Timeline

PublishedMay 26

Description

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:NExploitability: 0.8 | Impact: 5.8

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server25.0.2 — 25.0.6+1

▶CVEListV5nextcloud/security-advisories>= 25.0.2, < 25.0.6, >= 26.0.0, < 26.0.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

User session not correctly destroyed on logout↗2023-05-26

▶