Missing brute force protection on password confirmation modal
Package
Server
(Nextcloud)
Affected versions
>= 24.0.0, >= 25.0.0
Patched versions
24.0.10, 25.0.4
Server
(Nextcloud Enterprise)
>= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, 25.0.4
Impact
When an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint.
Patches
It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4
It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.10 or 22.2.10.10 or 23.0.12.5 or 24.0.10 or 25.0.4
Workarounds
References
For more information
If you have any questions or comments about this advisory: