CVE-2023-32318 HIGH

CVE-2023-32318: User session not correctly destroyed on logout

Vendor Nextcloud

Product security-advisories

Weakness CWE-613 · Insufficient session expiration

Published May 26, 2023

Last update January 14, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.

Key dates

02Disclosure timeline

May 26, 2023 CVE published

January 14, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-32318 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/613.html

Related vulnerabilities

Identifiers

CVE CVE-2023-32318

CWE CWE-613

CVSS 7.2 / HIGH

Affected versions

Vendor Nextcloud

Product security-advisories

Affected >= 25.0.2, < 25.0.6

Vendor Nextcloud

Product security-advisories

Affected >= 26.0.0, < 26.0.1

CVE-2023-32318: User session not correctly destroyed on logout

01Description

02Disclosure timeline

03References

04Related CVE