Lucene search

NextcloudGHSA-492H-596Q-XR2F

HistoryFeb 13, 2023 - 1:47 p.m.

Missing rate limiting on password reset functionality allows sending lots of emails

2023-02-1313:47:45

github.com

nextcloud

security advisory

rate limiting

email services

hackerone

pullrequest

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

42.6%

JSON

Description

Impact

Service slowdown, storage overflow, cost impact when using external email services

Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.1, 24.0.8 or 23.0.12
It is recommended that the Nextcloud Enterprise Server is upgraded to 25.0.1, 24.0.8, 23.0.12

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/server/pull/34632

hackerone.com/reports/1691195

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

42.6%

JSON

Related for GHSA-492H-596Q-XR2F