Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-39960

Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. In Nextcloud Server starting with 25.0.0 and prior to 25.09 and 26.04; as well as Nextcloud Enterprise Server starting with 22.0.0 and prior to 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4; missing protection allows an attacker to brute force passwords on the WebDAV API. Nextcloud Server 25.0.9 and 26.0.4 and Nextcloud Enterprise Server 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, and 26.0.4 contain patches for this issue. No known workarounds are available.

Published

2023-10-13T13:15:11.560

Last Modified

2024-11-21T08:16:07.403

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.0 (MEDIUM)

Weaknesses

Type: Primary
CWE-307

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 22.2.10.14	Yes
Application	nextcloud	nextcloud_server	< 23.0.12.9	Yes
Application	nextcloud	nextcloud_server	< 24.0.12.5	Yes
Application	nextcloud	nextcloud_server	< 25.0.9	Yes
Application	nextcloud	nextcloud_server	< 25.0.9	Yes
Application	nextcloud	nextcloud_server	< 26.0.4	Yes
Application	nextcloud	nextcloud_server	< 26.0.4	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 Vendor Advisory ([email protected])
https://github.com/nextcloud/server/pull/38046 Issue Tracking, Patch ([email protected])
https://hackerone.com/reports/1924212 Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2hrc-5fgp-c9c9 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/pull/38046 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1924212 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)