CVE-2025-47790

CWE-287Improper Authentication2 documents2 sources
Severity
6.4MEDIUM
EPSS
0.1%
top 76.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedMay 16

Description

Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second f

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

NVDnextcloud/nextcloud_server26.0.026.0.13.15+5
CVEListV5nextcloud/security-advisories6 versions+5

🔴Vulnerability Details

1
CVEList
Nextcloud Server doesn't request second factor after session timeout2025-05-16
CVE-2025-47790 (MEDIUM CVSS 6.4) | Nextcloud Server is a self hosted p | cvebase.io