Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistGitHub_MCVELIST:CVE-2023-25820
HistoryMar 22, 2023 - 6:22 p.m.

CVE-2023-25820 Nextcloud Server and Enterprise Server missing brute force protection on password confirmation modal

2023-03-2218:22:54
CWE-307
GitHub_M
www.cve.org
5
nextcloud
enterprise server
brute force
password confirmation
vulnerability
upgrade

CVSS3

4.2

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

EPSS

0

Percentile

5.1%

JSON

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x prior to 24.0.10, 23.0.x prior to 23.0.12.5, 22.x prior to 22.2.0.10, and 21.x prior to 21.0.9.10, when an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint. Nextcloud Server should upgraded to 24.0.10 or 25.0.4 and Nextcloud Enterprise Server should upgraded to 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, or 25.0.4 to receive a patch. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "Nextcloud Server >= 24.0.0, < 24.0.10",
        "status": "affected"
      },
      {
        "version": "Nextcloud Server >= 25.0.0, < 25.0.4",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 25.0.0, < 25.0.4",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 24.0.0, < 24.0.10",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 23.0.0, < 23.0.12.5",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 22.0.0, < 22.2.10.10",
        "status": "affected"
      },
      {
        "version": "Nextcloud Enterprise Server >= 21.0.0, < 21.0.9.10",
        "status": "affected"
      }
    ]
  }
]

Related

openvas 1
nvd 1
osv 1
nextcloud 1
hackerone 1
prion 1
cve 1
openvas
openvas
Nextcloud Server 24.0.x < 24.0.10, 25.0.x < 25.0.4 Missing Brute Force Protection Vulnerability (GHSA-36g6-wjx2-333x)
2023-03-23 00:00:00
nvd
nvd
CVE-2023-25820
2023-03-22 19:15:11
osv
osv
CVE-2023-25820
2023-03-22 19:15:11
nextcloud
nextcloud
Missing brute force protection on password confirmation modal
2023-03-21 13:37:29
hackerone
hackerone
Nextcloud: Missing brute force protection on password confirmation modal
2023-01-20 16:45:21
prion
prion
Default credentials
2023-03-22 19:15:00
cve
cve
CVE-2023-25820
2023-03-22 19:15:11

CVSS3

4.2

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L

EPSS

0

Percentile

5.1%

JSON
Related for CVELIST:CVE-2023-25820
openvas1nvd1osv1nextcloud1hackerone1prion1cve1