CVE-2023-23944
low-risk
Published 2023-02-06
Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.
Do I need to act?
-
0.24% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.0/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Mail
Affected Vendors
References (6)
Permissions Required
https://hackerone.com/reports/1806275
Permissions Required
https://hackerone.com/reports/1806275
14
/ 100
low-risk
Severity
8/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal