Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25161

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

Published

2023-02-13T21:15:14.957

Last Modified

2024-11-21T07:49:13.647

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 23.0.12	Yes
Application	nextcloud	nextcloud_server	< 24.0.8	Yes
Application	nextcloud	nextcloud_server	25.0.0	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f Vendor Advisory ([email protected])
https://github.com/nextcloud/server/pull/34632 Issue Tracking, Patch ([email protected])
https://hackerone.com/reports/1691195 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/pull/34632 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1691195 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)