9 matches found
CVE-2023-32074
CVE-2023-32074 affects the Nextcloud user_oidc app (OpenID Connect backend). The issue is an authentication flaw where brute-force protection is missing, allowing potential credential testing that can break or bypass authentication. The vulnerability is described for versions prior to 1.3.2; reme...
CVE-2023-28848
CVE-2023-28848 affects Nextcloud’s user_oidc (OIDC backend). Versions 1.0.0–1.3.0 allow bypassing CSRF state protection by copying the expected state token from the first request to the second. This enables a CSRF-like bypass. Remediation: upgrade user_oidc to 1.3.0. No known workarounds are prov...
CVE-2024-37312
The CVE concerns Nextcloud’s user_oidc OpenID Connect backend, where the ID4me endpoint lacks access control, enabling account registration and potential access to data available to all registered users. Publicly documented details come from Nextcloud advisories and HackerOne report, which confir...
CVE-2023-39954
CVE-2023-39954 affects the Nextcloud user_oidc app (OIDC backend). Versions 1.0.0 through 1.3.2 allow an attacker with read access to a database snapshot to impersonate the Nextcloud server toward linked servers due to unencrypted storage of the client secret. A patch exists in version 1.3.3 . No...
CVE-2024-52512
CVE-2024-52512 affects the Nextcloud User OIDC app (OpenID Connect backend). A malformed login link can trigger an open redirect to a user-supplied URL after successful authentication. The issue is documented across multiple sources (e.g., Red Hat, CVE lists, advisories) with typical impact descr...
CVE-2023-39953
The CVE-2023-39953 entry concerns Nextcloud’s user_oidc app. Affected versions: 1.0.0 through 1.3.2. Root cause: missing verification of the issuer in the OIDC token validation, enabling a potential Man-in-the-Middle attack that could return corrupted or known tokens. Impact: attacker could lever...
CVE-2024-37886
CVE-2024-37886 affects Nextcloud’s user_oidc OpenID Connect backend; ID4me does not validate the signature or expiration, enabling an attacker to submit requests not signed by the correct server. Upgrades are recommended to Nextcloud user_oidc versions 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0. Support...
CVE-2026-45284
Nextcloud vulnerability CVE-2026-45284 affects the User OIDC LdapService in the Nextcloud platform. From version 1.3.6 up to, but not including, 8.4.0, an improper check allowed LDAP-authenticated users who had been deleted to continue authenticating via OIDC. This could permit access to accounts...
CVE-2026-45278
CVE-2026-45278 affects Nextcloud (Open Source content collaboration platform). From version 6.1.0 up to before 8.2.2, an attacker could craft links that redirect users to another website when the user logs in via the attacker’s OIDC link, due to improper redirection handling in user_oidc. The iss...