Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28847

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.

Published

2023-04-25T17:15:08.963

Last Modified

2024-11-21T07:56:08.940

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.1 (LOW)

Weaknesses

Type: Primary
CWE-307

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 23.0.12.6	Yes
Application	nextcloud	nextcloud_server	< 24.0.11	Yes
Application	nextcloud	nextcloud_server	< 24.0.11	Yes
Application	nextcloud	nextcloud_server	< 25.0.5	Yes
Application	nextcloud	nextcloud_server	< 25.0.5	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w Vendor Advisory ([email protected])
https://github.com/nextcloud/server/pull/35057 Issue Tracking, Patch ([email protected])
https://hackerone.com/reports/1894653 Exploit, Issue Tracking, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/pull/35057 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1894653 Exploit, Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)