6.4
CVE-2025-47790
- EPSS 0.08%
- Veröffentlicht 16.05.2025 14:02:57
- Zuletzt bearbeitet 30.09.2025 19:59:50
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nextcloud Server doesn't request second factor after session timeout
Second factor not requested after session timeout
Nextcloud Server is a self hosted personal cloud system. Nextcloud Server prior to 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server prior to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9, and 31.0.3 have a bug with session handling. The bug caused skipping the second factor confirmation after a successful login with the username and password when the server was configured with `remember_login_cookie_lifetime` set to `0`, once the session expired on the page to select the second factor and the page is reloaded. Nextcloud Server 29.0.15, 30.0.9, and 31.0.3 and Nextcloud Enterprise Server is upgraded to 26.0.13.15, 27.1.11.15, 28.0.14.6, 29.0.15, 30.0.9 and 31.0.3 contain a patch. As a workaround, set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions.
Mögliche Gegenmaßnahme
Server: * Set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions listed by the following database query:
```sql
SELECT id, uid FROM oc_authtoken WHERE type = 0 AND remember = 0;
```
Enterprise Server: * Set the `remember_login_cookie_lifetime` in config.php to a value other than `0`, e.g. `900`. Beware that this is only a workaround for new sessions created after the configuration change. System administration can delete affected sessions listed by the following database query:
```sql
SELECT id, uid FROM oc_authtoken WHERE type = 0 AND remember = 0;
```
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.13.15
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.11.15
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.14.6
Nextcloud ≫ Nextcloud Server SwEdition- Version >= 29.0.0 < 29.0.15
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.15
Nextcloud ≫ Nextcloud Server SwEdition- Version >= 30.0.0 < 30.0.9
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 30.0.0 < 30.0.9
Nextcloud ≫ Nextcloud Server SwEdition- Version >= 31.0.0 < 31.0.3
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 31.0.0 < 31.0.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemNextcloud
≫
Produkt
Server
Version
>= 29.0.0, < 29.0.15
Version
>= 30.0.0, < 30.0.9
Version
>= 31.0.0, < 31.0.3
SystemNextcloud
≫
Produkt
Enterprise Server
Version
>= 26.0.0, < 26.0.13.15
Version
>= 27.0.0, < 27.1.11.15
Version
>= 28.0.0, < 28.0.14.6
Version
>= 29.0.0, < 29.0.15
Version
>= 30.0.0, < 30.0.9
Version
>= 31.0.0, < 31.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.08% | 0.23 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 6.4 | 1.2 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.