Lucene search

PRIOn knowledge basePRION:CVE-2023-45149

HistoryOct 16, 2023 - 8:15 p.m.

Design/Logic Flaw

2023-10-1620:15:00

PRIOn knowledge base

www.prio-n.com

nextcloud

talk app

brute force

protection

public conversation

passwords

bypassed

upgrade

4.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.4%

JSON

Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.

CPENameOperatorVersion
talkge17.0.0
talklt17.1.1
talkge15.0.0
talklt15.0.8
talkge16.0.0
talklt16.0.6

Name	Operator	Version
talk	ge	17.0.0
talk	lt	17.1.1
talk	ge	15.0.0
talk	lt	15.0.8
talk	ge	16.0.0
talk	lt	16.0.6

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv

github.com/nextcloud/spreed/pull/10545

hackerone.com/reports/2094473