CVE-2023-25161

Published: Feb 13, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

Affected (3)

Products: Nextcloud: Nextcloud Server

1 product

Nextcloud Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 23.0.12
Nextcloud Nextcloud Server	From 24.0.0 to 24.0.8
Nextcloud Nextcloud Server	Version 25.0.0

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f

Source: security-advisories@github.com

Vendor Advisory

https://github.com/nextcloud/server/pull/34632

Source: security-advisories@github.com

Issue TrackingPatch

https://hackerone.com/reports/1691195

Source: security-advisories@github.com

Permissions RequiredThird Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://github.com/nextcloud/server/pull/34632

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingPatch

https://hackerone.com/reports/1691195

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

Timeline

No history available yet.