CVE-2023-23944 LOW

CVE-2023-23944: Nexcloud Mail app temporarily stores cleartext password in database

Vendor Nextcloud

Product security-advisories

Weakness CWE-312 · Cleartext storage

Published February 6, 2023

Last update March 10, 2025

View on NVD All CVEs

CVSS base score

2.0/10

Attack vector Network

Attack complexity High

Privileges required High

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud mail is an email app for the nextcloud home server platform. In versions prior to 2.2.2 user's passwords were stored in cleartext in the database during the duration of OAuth2 setup procedure. Any attacker or malicious user with access to the database would have access to these user passwords until the OAuth setup has been completed. It is recommended that the Nextcloud Mail app is upgraded to 2.2.2. There are no known workarounds for this issue.

Key dates

02Disclosure timeline

February 6, 2023 CVE published

March 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-23944 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/312.html

Related vulnerabilities

CVE-2023-23944: Nexcloud Mail app temporarily stores cleartext password in database

01Description

02Disclosure timeline

03References

04Related CVE