Steps To Reproduce:
- Instead of sending a POST to the authentication endpoint, the password can be added as a parameter on the GET request of the frontpage.
- A failure will not log a bruteforce attempt, but a successful password will no longer bring up the login page
Supporting Material/References:
Found while looking into https://support.nextcloud.com/#ticket/zoom/47814
Impact
Brute force protection of public talk conversation passwords can be bypassed.