← voltar
CVE-2023-25161

Nextcloud Server's missing rate limiting on password reset functionality allows sending lots of emails

CVSS 3.7 LOWEPSS 0.7%CWE-284
Vexday Risk Score
8Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 3.7EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
13 fev 2023Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Produtos afetados
nextcloud · security-advisories

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2fhttps://github.com/nextcloud/server/pull/34632https://hackerone.com/reports/1691195