CVE-2024-37313
HIGHNextcloud Server 21.0.0-21.0.9.17 and 26.0.0-26.0.13 - Two-Factor Authentication Bypass
Title source: llmDescription
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v72-9xv5-3p7c
Issue Tracking, Patch x_refsource_misc
https://github.com/nextcloud/server/pull/44276
Issue Tracking x_refsource_misc
https://hackerone.com/reports/2419776
Scores
CVSS v3
7.3
EPSS
0.0018
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (2)
nextcloud/nextcloud_server
21.0.0 - 21.0.9.17
nextcloud/nextcloud_server
26.0.0 - 26.0.13
Published
Jun 14, 2024
Tracked Since
Feb 18, 2026