PT-2023-20326 · Nextcloud+1 · Nextcloud Enterprise Server+2
Hackit_Bharat
·
Published
2023-03-22
·
Updated
2023-03-31
·
CVE-2023-25820
CVSS v3.1
4.2
Medium
| Vector | AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions 24.0.x through 24.0.9
Nextcloud Server versions 25.0.x through 25.0.4
Nextcloud Enterprise Server versions 21.x through 21.0.9.9
Nextcloud Enterprise Server versions 22.x through 22.2.0.9
Nextcloud Enterprise Server versions 23.0.x through 23.0.12.4
Nextcloud Enterprise Server versions 24.0.x through 24.0.9
Nextcloud Enterprise Server versions 25.0.x through 25.0.3
Description
The issue affects Nextcloud Server and Nextcloud Enterprise Server, where an attacker who gains access to an already logged-in user session can brute force the password on the confirmation endpoint.
Recommendations
For Nextcloud Server versions 24.0.x through 24.0.9, upgrade to version 24.0.10 or 25.0.5.
For Nextcloud Server versions 25.0.x through 25.0.4, upgrade to version 25.0.5.
For Nextcloud Enterprise Server versions 21.x through 21.0.9.9, upgrade to version 21.0.9.10.
For Nextcloud Enterprise Server versions 22.x through 22.2.0.9, upgrade to version 22.2.0.10.
For Nextcloud Enterprise Server versions 23.0.x through 23.0.12.4, upgrade to version 23.0.12.5.
For Nextcloud Enterprise Server versions 24.0.x through 24.0.9, upgrade to version 24.0.10.
For Nextcloud Enterprise Server versions 25.0.x through 25.0.3, upgrade to version 25.0.4.
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server