A bug causing session fixation in Nextcloud Server prior to 14.0.0, 13.0.3 and 12.0.8 could potentially allow an attacker to obtain access to password protected shares.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nextcloud_server | Nextcloud | * | 12.0.8 (excluding) |
Nextcloud_server | Nextcloud | 13.0.0 (including) | 13.0.3 (excluding) |
Nextcloud_server | Nextcloud | 14.0.0-beta1 (including) | 14.0.0-beta1 (including) |
Nextcloud_server | Nextcloud | 14.0.0-beta2 (including) | 14.0.0-beta2 (including) |
Nextcloud_server | Nextcloud | 14.0.0-beta3 (including) | 14.0.0-beta3 (including) |
Nextcloud_server | Nextcloud | 14.0.0-beta4 (including) | 14.0.0-beta4 (including) |
Nextcloud_server | Nextcloud | 14.0.0-rc1 (including) | 14.0.0-rc1 (including) |
Nextcloud_server | Nextcloud | 14.0.0-rc2 (including) | 14.0.0-rc2 (including) |
Such a scenario is commonly observed when: