Skip to content

Password reset endpoint is not brute force protected

High
nickvergessen published GHSA-mjf5-p765-qmr6 Jun 22, 2023

Package

Server (Nextcloud)

Affected versions

>= 25.0.0, >= 26.0.0

Patched versions

25.0.7, 26.0.2
Server (Nextcloud Enterprise)
>= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0, >= 26.0.0
21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, 26.0.2

Description

Impact

An attacker can bruteforce the password reset links.

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2
It is recommended that the Nextcloud Enterprise Server is upgraded to 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7 or 26.0.2

Workarounds

  • No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

High
8.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CVE ID

CVE-2023-35172

Weaknesses

Credits