CVE-2023-32318

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-32318

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32318.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-32318

Aliases

GHSA-q8c4-chpj-6v38

Published

2023-05-26T17:21:17.942Z

Modified

2026-04-10T04:59:09.095730Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N CVSS Calculator

Summary

User session not correctly destroyed on logout

Details

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.

Database specific

{
    "cwe_ids": [
        "CWE-613"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/32xxx/CVE-2023-32318.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

9c791972de9c2561a9b36c1a60e48c25315ecca5

Fixed

df9a14d1d63ad8f46d65c19c67736ef922bdbdfe

Introduced

9c791972de9c2561a9b36c1a60e48c25315ecca5

Fixed

df9a14d1d63ad8f46d65c19c67736ef922bdbdfe

Introduced

Last affected

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Introduced

Last affected

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Database specific

{
    "versions": [
        {
            "introduced": "25.0.2"
        },
        {
            "fixed": "25.0.6"
        },
        {
            "introduced": "25.0.2"
        },
        {
            "fixed": "25.0.6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "26.0.0"
        }
    ]
}

Affected versions

v1.*

v1.0.0beta1

v11.*

v11.0.0

v11.0RC2

v12.*

v12.0.0beta1

v12.0.0beta2

v12.0.0beta3

v12.0.0beta4

v13.*

v13.0.0RC1

v13.0.0beta1

v13.0.0beta2

v13.0.0beta3

v13.0.0beta4

v14.*

v14.0.0RC1

v14.0.0RC2

v14.0.0beta1

v14.0.0beta2

v14.0.0beta3

v14.0.0beta4

v15.*

v15.0.0RC1

v15.0.0beta1

v15.0.0beta2

v16.*

v16.0.0RC1

v16.0.0alpha1

v16.0.0beta1

v16.0.0beta2

v16.0.0beta3

v17.*

v17.0.0beta1

v17.0.0beta2

v17.0.0beta3

v17.0.0beta4

v18.*

v18.0.0RC1

v18.0.0beta1

v18.0.0beta2

v18.0.0beta3

v18.0.0beta4

v19.*

v19.0.0RC1

v19.0.0RC2

v19.0.0beta1

v19.0.0beta2

v19.0.0beta3

v19.0.0beta4

v19.0.0beta5

v19.0.0beta6

v19.0.0beta7

v20.*

v20.0.0RC1

v20.0.0beta1

v20.0.0beta2

v20.0.0beta3

v20.0.0beta4

v21.*

v21.0.0beta1

v21.0.0beta2

v21.0.0beta3

v21.0.0beta4

v21.0.0beta5

v21.0.0beta6

v21.0.0beta7

v21.0.0beta8

v22.*

v22.0.0beta1

v22.0.0beta2

v22.0.0beta4

v22.0.0beta5

v22.0.0rc1

v23.*

v23.0.0beta1

v23.0.0beta2

v23.0.0beta3

v24.*

v24.0.0beta1

v24.0.0beta2

v24.0.0beta3

v24.0.0rc1

v25.*

v25.0.0beta1

v25.0.0beta2

v25.0.0beta3

v25.0.0beta4

v25.0.0beta5

v25.0.0beta6

v25.0.0beta7

v25.0.2

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6rc1

v26.*

v26.0.0

v26.0.0beta1

v26.0.0beta2

v26.0.0beta3

v26.0.0beta4

v26.0.0beta5

v26.0.0rc1

v26.0.0rc2

v26.0.0rc3

v3.*

v3.0

v4.*

v4.0.0

v4.0.0RC

v4.0.0RC2

v4.0.0beta

v4.0.1

v4.0.4

v4.0.5

v4.0.6

v4.5.0

v4.5.0RC1

v4.5.0RC2

v4.5.0RC3

v4.5.0beta3

v4.5.0beta4

v5.*

v5.0.0

v5.0.0RC1

v5.0.0RC2

v5.0.0RC3

v5.0.0alpha1

v5.0.0beta1

v5.0.0beta2

v6.*

v6.0.0RC1

v6.0.0RC2

v6.0.0alpha2

v6.0.0beta2

v6.0.0beta3

v6.0.0beta4

v6.0.0beta5

v7.*

v7.0.0alpha2

v7.0.0beta1

v8.*

v8.0.0

v8.0.0RC1

v8.0.0RC2

v8.0.0alpha1

v8.0.0alpha2

v8.0.0beta1

v8.0.0beta2

v8.1.0alpha1

v8.1.0alpha2

v8.1.0beta1

v8.1.0beta2

v8.1RC2

v8.2RC1

v8.2beta1

v9.*

v9.0.0beta2

v9.0beta1

v9.1.0beta1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32318.json"

Git / github.com/nextcloud/text

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/text

Events

Introduced

7827f86e8fdeb754e7972fb54d1c769c139abbc1

Fixed

4b1e9d95ada3c32326b96065561a8ded232c87fa

Database specific

{
    "versions": [
        {
            "introduced": "25.0.2"
        },
        {
            "fixed": "25.0.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/text

Events

Introduced

18cce808c81d44dbfec09832c994ebcf28d37757

Fixed

0630f306ced1c8bba33415891a84294832873a47

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.1"
        }
    ]
}

Affected versions

v25.*

v25.0.2

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6rc1

v26.*

v26.0.0

v26.0.1rc1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-32318.json"