Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cleartext Transmission of Sensitive Information in user_oidc
Vulnerability Description
user_oidc is an OpenID Connect user backend for Nextcloud. In versions prior to 1.2.1 sensitive information such as the OIDC client credentials and tokens are sent in plain text of HTTP without TLS. Any malicious actor with access to monitor user traffic may have been able to compromise account security. This issue has been addressed in in user_oidc v1.2.1. Users are advised to upgrade. Users unable to upgrade may use https to access Nextcloud. Set an HTTPS discovery URL in the provider settings (in Nextcloud OIDC admin settings).
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Vulnerability Type
敏感数据的明文传输
Vulnerability Title
Nextcloud 安全漏洞
Vulnerability Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud user_oidc 1.2.1之前版本存在安全漏洞,该漏洞源于OIDC客户端凭证和令牌等敏感信息是在没有TLS的情况下以HTTP的纯文本形式发送,任何有权限监控用户流量的恶意行为者都有可能破坏账户安全。
CVSS Information
N/A
Vulnerability Type
N/A