Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 20.0.0 and prior to versions,,,,, 25.0.9, 26.0.4, and 27.0.1, a missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim. Nextcloud server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions,,,,, 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available.

CvssV3 impact

Could not find any metrics

CvssV2 impact

Could not find any metrics