CVE-2023-39963

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-39963

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-39963.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-39963

Aliases

GHSA-j4qm-5q5x-54m5

Published

2023-08-10T17:26:30.163Z

Modified

2025-12-05T00:02:20.490919Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Missing password confirmation when creating app passwords

Details

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/39xxx/CVE-2023-39963.json"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

20ea9a25353129b56d46951fe7d23939665ab2b2

Fixed

fbc4a4aad97572da902fef0ee61cbd49bba58365

Database specific

{
    "versions": [
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

62cfd3b4c9ff4d8cdbbe6dcc8b63a1085bb94e3d

Fixed

318ac2714fafa63dcd90805a5cb8ee9d60b58f53

Database specific

{
    "versions": [
        {
            "introduced": "26.0.0"
        },
        {
            "fixed": "26.0.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

add4e4365a4040d2e4e6aa79c0d03c3edd78583c

Fixed

e9174a418927eade3a1e6261978b27abdfdfcef6

Database specific

{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.0.1"
        }
    ]
}

Affected versions

v25.*

v25.0.0

v25.0.1

v25.0.1rc1

v25.0.2

v25.0.2rc1

v25.0.2rc2

v25.0.2rc3

v25.0.3

v25.0.3rc1

v25.0.3rc2

v25.0.4

v25.0.4rc1

v25.0.5

v25.0.5rc1

v25.0.6

v25.0.6rc1

v25.0.7

v25.0.7rc1

v25.0.8

v25.0.8rc1

v25.0.8rc2

v25.0.9rc1

v25.0.9rc2

v26.*

v26.0.0

v26.0.1

v26.0.1rc1

v26.0.2

v26.0.2rc1

v26.0.3

v26.0.3rc1

v26.0.3rc2

v26.0.4rc1

v26.0.4rc2

v27.*

v27.0.0

v27.0.1rc1

v27.0.1rc2