PT-2023-20326 · Nextcloud+1 · Nextcloud Enterprise Server+2
Hackit_Bharat
·
Publicado
2023-03-22
·
Atualizado
2023-03-31
·
CVE-2023-25820
CVSS v3.1
4.2
Média
| Vetor | AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions 24.0.x through 24.0.9
Nextcloud Server versions 25.0.x through 25.0.4
Nextcloud Enterprise Server versions 21.x through 21.0.9.9
Nextcloud Enterprise Server versions 22.x through 22.2.0.9
Nextcloud Enterprise Server versions 23.0.x through 23.0.12.4
Nextcloud Enterprise Server versions 24.0.x through 24.0.9
Nextcloud Enterprise Server versions 25.0.x through 25.0.3
Description
The issue affects Nextcloud Server and Nextcloud Enterprise Server, where an attacker who gains access to an already logged-in user session can brute force the password on the confirmation endpoint.
Recommendations
For Nextcloud Server versions 24.0.x through 24.0.9, upgrade to version 24.0.10 or 25.0.5.
For Nextcloud Server versions 25.0.x through 25.0.4, upgrade to version 25.0.5.
For Nextcloud Enterprise Server versions 21.x through 21.0.9.9, upgrade to version 21.0.9.10.
For Nextcloud Enterprise Server versions 22.x through 22.2.0.9, upgrade to version 22.2.0.10.
For Nextcloud Enterprise Server versions 23.0.x through 23.0.12.4, upgrade to version 23.0.12.5.
For Nextcloud Enterprise Server versions 24.0.x through 24.0.9, upgrade to version 24.0.10.
For Nextcloud Enterprise Server versions 25.0.x through 25.0.3, upgrade to version 25.0.4.
Exploit
Correção
Improper Restriction of Excessive Authentication Attempts
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server