CVE-2023-32318
📋 TL;DR
This CVE describes a session handling vulnerability in Nextcloud Server where logout doesn't properly destroy sessions if cookies aren't manually cleared. An attacker who authenticates with any account after a previous user logs out can inherit the previous user's session and gain unauthorized access. This affects Nextcloud Server installations using the Nextcloud Text app.
💻 Affected Systems
- Nextcloud Server
- Nextcloud Text app
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full access to a previous user's account including all files, data, and permissions, potentially leading to data theft, privilege escalation, or unauthorized actions.
Likely Case
Session hijacking where an attacker accesses another user's account after they log out, potentially viewing sensitive files or performing unauthorized actions.
If Mitigated
Minimal impact with proper session management controls, monitoring, and quick patching.
🎯 Exploit Status
Exploitation requires an attacker to have valid credentials for any account and access after a previous user logs out without clearing cookies.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 25.0.6 or 26.0.1
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q8c4-chpj-6v38
Restart Required: Yes
Instructions:
1. Backup your Nextcloud installation and database. 2. Update Nextcloud Server to version 25.0.6 or 26.0.1 using the updater or manual installation. 3. Restart the web server and PHP service. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Nextcloud Text app
allTemporarily disable the Nextcloud Text app to mitigate the vulnerability until patching.
occ app:disable text
Force session termination on logout
allConfigure web server to clear all session cookies on logout.
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual session activity
- Enforce mandatory cookie clearing on logout through user training or browser policies
🔍 How to Verify
Check if Vulnerable:
Check Nextcloud version via admin panel or run: php occ statusCheck Version:
php occ status | grep 'versionstring'Verify Fix Applied:
Confirm version is 25.0.6 or 26.0.1 and test logout functionality with multiple users📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same IP in short timeframe
- Session IDs persisting after logout events
- User accessing resources they shouldn't have permissions for
Network Indicators:
- Unusual session cookie patterns
- Rapid authentication attempts
SIEM Query:
source="nextcloud.log" AND ("logout" OR "session") AND ("failed" OR "unusual")