How severe is CVE-2024-22403?

This vulnerability has a severity rating of LOW with a CVSS score of 3.7 out of 10.

What type of vulnerability is CVE-2024-22403?

This is classified as CWE-613, which is a common weakness in software security.

CVE-2024-22403 - LOW Severity | CVSS 3.7

Vulnerability Description

Nextcloud server is a self hosted personal cloud system. In affected versions OAuth codes did not expire. When an attacker would get access to an authorization code they could authenticate at any time using the code. As of version 28.0.0 OAuth codes are invalidated after 10 minutes and will no longer be authenticated. To exploit this vulnerability an attacker would need to intercept an OAuth code from a user session. It is recommended that the Nextcloud Server is upgraded to 28.0.0. There are no known workarounds for this vulnerability.

Related Vulnerabilities

CVE-2020-6197

LOW

CVSS:3.8(Low)

SAP Enable Now, before version 1908, does not invalidate session tokens in a timely manner. The Insufficient Session Expiration may allow attackers with local access, for instance, to still download t...

CWE-6132020

CVE-2023-4005

LOW

CVSS:3.8(Low)

Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.

CWE-6132023

CVE-2023-40732

LOW

CVSS:3.9(Low)

A vulnerability has been identified in QMS Automotive (All versions < V12.39). The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an at...

CWE-6132023

CVE-2024-4680

LOW

CVSS:3.9(Low)

A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire afte...

CWE-6132024

CVE-2021-22136

LOW

CVSS:3.5(Low)

In Kibana versions before 7.12.0 and 6.8.15 a flaw in the session timeout was discovered where the xpack.security.session.idleTimeout setting is not being respected. This was caused by background poll...

CWE-6132021

CVE-2021-34428

LOW

CVSS:3.5(Low)

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manag...

CWE-6132021