7.1
CVE-2023-25818
- EPSS 0.31%
- Published 27.03.2023 20:15:09
- Last modified 21.11.2024 07:50:15
- Source security-advisories@github.com
- Teams watchlist Login
- Open Login
Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.
Data is provided by the National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 21.0.0 < 21.0.9.10
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 22.0.0 < 22.2.10.10
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 23.0.0 < 23.0.12.5
Nextcloud ≫ Nextcloud Server SwEdition- Version >= 24.0.0 < 24.0.10
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 24.0.0 < 24.0.10
Nextcloud ≫ Nextcloud Server SwEdition- Version >= 25.0.0 < 25.0.4
Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.31% | 0.537 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.1 | 2.8 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
|
| security-advisories@github.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
CWE-307 Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.