Description
Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server. A problem in the password verification method allows an attacker to authenticate as another user. It is recommended that the Nextcloud Global Site Selector is upgraded to version 1.4.1, 2.1.2, 2.3.4 or 2.4.5. There are no known workarounds for this issue.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vj5q-f63m-wp77
Patch x_refsource_misc
https://github.com/nextcloud/globalsiteselector/commit/ab5da57190d5bbc79079ce4109b6bcccccd893ee
Issue Tracking, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/2248689
Scores
CVSS v3
9.6
EPSS
0.0115
EPSS Percentile
78.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
nextcloud/global_site_selector
1.1.0 - 1.4.1
Published
Jan 18, 2024
Tracked Since
Feb 18, 2026