Lucene search
ChristophwurstH1:1806275HistoryDec 15, 2022 - 10:21 a.m.
Nextcloud: Mail app stores cleartext password in database until OAUTH2 setup is done
2022-12-1510:21:14
christophwurst
hackerone.com
34
nextcloud
mail app
cleartext password
oauth2
database
security issue
bug bounty
EPSS
0.001
Percentile
42.5%
Summary:
The Mail app usually stores the user password encrypted. For XOAUTH2 the encrypted access token is stored in the same columns. However, during the time of the setup, XOAUTH2 accounts have the password in clear text in the database.
Steps To Reproduce:
[add details for how we can reproduce the issue]
- Configure Gmail Oauth client ID and secret as Nextcloud admin
- Open the Mail app
- Open the setup page
- Enter values for display name
- Enter a random value for the password
- Enter the gmail address
-> password field hides
- Continue the setup
Once the Gmail consent popup shows, look into oc_mail_accounts and the last entry.
inbound_password and outbound_password have the random value entered for the password.
Supporting Material/References:
- N/A
Impact
A DBA could read the plaintext password
Related
nextcloud
nextcloud
osv
osv
CVE-2023-23944
2023-02-06 20:15:15
cnvd
cnvd
Nextcloud Information Disclosure Vulnerability (CNVD-2023-07969)
2023-02-08 00:00:00
cvelist
cvelist
prion
prion
Design/Logic Flaw
2023-02-06 20:15:00
cve
cve
CVE-2023-23944
2023-02-06 20:15:15
nvd
nvd
CVE-2023-23944
2023-02-06 20:15:15