Again related to https://hackerone.com/reports/1173684
I am having some trouble finding the code.
However if you do
curl -u "RANDOM1:RANDOM2" -X PROPFIND https://server/public.php/webdav
And then check your oc_bruteforce_attempts
table. You’ll see there is no entry registered.
Low just like on the other report. But should be fixed non the less.