Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2023-35172
HistoryJun 23, 2023 - 9:15 p.m.

CVE-2023-35172

2023-06-2321:15:09
CWE-307
[email protected]
web.nvd.nist.gov
7
nextcloud
enterprise server
vulnerability
password reset
patch

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

50.1%

JSON

NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available.

Affected configurations

Nvd
Node
nextcloudnextcloud_serverRange21.0.021.0.9.12enterprise
OR
nextcloudnextcloud_serverRange22.0.022.2.10.12enterprise
OR
nextcloudnextcloud_serverRange23.0.023.0.12.7enterprise
OR
nextcloudnextcloud_serverRange24.0.024.0.12.2enterprise
OR
nextcloudnextcloud_serverRange25.0.025.0.7-
OR
nextcloudnextcloud_serverRange25.0.025.0.7enterprise
OR
nextcloudnextcloud_serverRange26.0.026.0.2-
OR
nextcloudnextcloud_serverRange26.0.026.0.2enterprise
VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*

Related

prion 1
cvelist 1
nextcloud 1
osv 1
hackerone 1
cve 1
redos 1
openvas 1
prion
prion
Code injection
2023-06-23 21:15:00
cvelist
cvelist
CVE-2023-35172 Nextcloud Server password reset endpoint is not brute force protected
2023-06-23 20:49:56
nextcloud
nextcloud
Password reset endpoint is not brute force protected
2023-06-22 06:17:09
osv
osv
CVE-2023-35172
2023-06-23 21:15:09
hackerone
hackerone
Nextcloud: Password reset endpoint is not brute force protected
2023-05-13 19:17:02
cve
cve
CVE-2023-35172
2023-06-23 21:15:09
redos
redos
ROS-20230628-01
2023-06-28 00:00:00
openvas
openvas
Nextcloud Server 25.x < 25.0.7, 26.x < 26.0.2 Multiple Vulnerabilities (GHSA-qphh-6xh7-vffg, GHSA-mjf5-p765-qmr6, GHSA-h7f7-535f-7q87, GHSA-637g-xp2c-qh5h)
2023-06-23 00:00:00

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

50.1%

JSON
Related for NVD:CVE-2023-35172
prion1cvelist1nextcloud1osv1hackerone1cve1redos1openvas1