CVE-2023-45149

Password of talk conversations can be bruteforced in Nextcloud

CVSS 4.3 MEDIUMEPSS 0.5%CWE-307

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 4.3EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 out 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Produtos afetados

nextcloud · security-advisories

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv https://github.com/nextcloud/spreed/pull/10545 https://hackerone.com/reports/2094473