Home > Vulnerability Database > CVE-2024-22403

Mend.io Vulnerability Database

CVE-2024-22403

Good to know:

Date: January 18, 2024

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability.

Language: PHP

Severity Score

3.0

Related Resources (6)

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wppc-f5g8-vx36

Url: https://github.com/nextcloud/server/pull/40766

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S6PN4GVJ5TZUC6WSG4X3ZA3AMPBEKNAX/

Url: https://hackerone.com/reports/1784162

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-22403

Url: https://www.mend.io/vulnerability-database/CVE-2024-22403

Severity Score

3.0

Weakness Type (CWE)

Insufficient Session Expiration

CWE-613

Top Fix

Upgrade Version

Upgrade to version v28.0.0

Learn More

CVSS v3.1

Base Score:	3.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-22403

Good to know:

Date: January 18, 2024

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?