Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneRullzerH1:1987062
HistoryMay 13, 2023 - 7:17 p.m.

Nextcloud: Password reset endpoint is not brute force protected

2023-05-1319:17:02
rullzer
hackerone.com
$500
28
nextcloud
lost password
brute force
vulnerable
endpoint
bug bounty
security advisory

EPSS

0.001

Percentile

50.1%

JSON

Oversight of https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp (https://hackerone.com/reports/1841665, but I can’t judge the content there as it is not yet public).

In any case. The whole lostpassword flow is now annotated with bruteforce protection. Except the endpoint that actually matters. https://github.com/nextcloud/server/blob/master/core/Controller/LostController.php#L226-L229

An attacker can still happily try to brute force the token. Without getting throttled.

Impact

The lostpassword flow is without actual bruteforce protection.

Related

prion 1
cvelist 1
nextcloud 1
osv 1
nvd 1
cve 1
redos 1
openvas 1
prion
prion
Code injection
2023-06-23 21:15:00
cvelist
cvelist
CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected
2023-06-23 20:49:56
nextcloud
nextcloud
Password reset endpoint is not brute force protected
2023-06-22 06:17:09
osv
osv
CVE-2023-35172
2023-06-23 21:15:09
nvd
nvd
CVE-2023-35172
2023-06-23 21:15:09
cve
cve
CVE-2023-35172
2023-06-23 21:15:09
redos
redos
ROS-20230628-01
2023-06-28 00:00:00
openvas
openvas
Nextcloud Server 25.x < 25.0.7, 26.x < 26.0.2 Multiple Vulnerabilities (GHSA-qphh-6xh7-vffg, GHSA-mjf5-p765-qmr6, GHSA-h7f7-535f-7q87, GHSA-637g-xp2c-qh5h)
2023-06-23 00:00:00

EPSS

0.001

Percentile

50.1%

JSON
Related for H1:1987062
prion1cvelist1nextcloud1osv1nvd1cve1redos1openvas1