EUVD-2023-39176

🗓️ 03 Oct 2025 20:07:09Reported by EUVDType

NextCloud Server and Enterprise Server allow password reset link bruteforcing in specific versions.

Reporter	Title	Published	Views	Family All 52
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud storage solutions lies in the improper limitation on excessive authentication attempts, which allows a hacker to compromise the target system.	10 Jul 202300:00	–	bdu_fstec
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud storage solutions stems from improper handling of insufficient privileges. This allows attackers to gain access to the credentials of other users.	18 Jul 202300:00	–	bdu_fstec
CNNVD	Nextcloud 安全漏洞	23 Jun 202300:00	–	cnnvd
CVE	CVE-2023-35172	23 Jun 202320:49	–	cve
Cvelist	CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected	23 Jun 202320:49	–	cvelist
Nextcloud	Password reset endpoint is not brute force protected	22 Jun 202306:17	–	nextcloud
Hacker One	Nextcloud: Password reset endpoint is not brute force protected	13 May 202319:17	–	hackerone
NVD	CVE-2023-35172	23 Jun 202321:15	–	nvd
OpenVAS	Nextcloud Server 25.x < 25.0.7, 26.x < 26.0.2 Multiple Vulnerabilities (GHSA-qphh-6xh7-vffg, GHSA-mjf5-p765-qmr6, GHSA-h7f7-535f-7q87, GHSA-637g-xp2c-qh5h)	23 Jun 202300:00	–	openvas
OSV	CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected	23 Jun 202320:49	–	osv

[
  {
    "enisaIdVendor": [
      {
        "id": "ed4042e3-35ba-3908-8b58-c8b8dedb8ca0",
        "vendor": {
          "name": "nextcloud"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "2ef2dd24-a004-35a7-850a-5073ec113092",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Enterprise Server  25.0.0, < 25.0.7"
      },
      {
        "id": "6fd791fc-fe38-3a78-97f2-70ea42ecf5a4",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Server  25.0.0, < 25.0.7"
      },
      {
        "id": "70c1deb9-dac3-3f15-ba44-8e6ad02c80f9",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Enterprise Server  21.0.0, < 21.0.9.12"
      },
      {
        "id": "abeaa79a-5f20-337e-8de6-3603b0298cfb",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Enterprise Server  24.0.0, < 24.0.12.2"
      },
      {
        "id": "af960e49-84c3-3884-910a-663e8e2aafba",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Enterprise Server  23.0.0, < 23.0.12.7"
      },
      {
        "id": "dfa3df65-d188-3423-bd78-2d04177c541b",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Enterprise Server  22.0.0, < 22.2.10.12"
      },
      {
        "id": "ea0f7027-d7b3-3424-8ecd-39b716cabf15",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Enterprise Server  26.0.0, < 26.0.2"
      },
      {
        "id": "fd4352b9-4fde-31be-a886-b9d751c803c1",
        "product": {
          "name": "security-advisories"
        },
        "product_version": "Nextcloud Server  26.0.0, < 26.0.2"
      }
    ]
  }
]

Source	Link
github	www.github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6
github	www.github.com/nextcloud/server/pull/38267
hackerone	www.hackerone.com/reports/1987062

03 Oct 2025 20:07Current

8.9High risk

Vulners AI Score8.9

CVSS 3.18.7 - 9.1

EPSS0.00621

SSVC