PT-2023-29439 · Nextcloud · Nextcloud Talk
Nickvergessen
·
Published
2023-10-16
·
Updated
2023-10-20
·
CVE-2023-45149
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Talk versions prior to 15.0.8
Nextcloud Talk versions prior to 16.0.6
Nextcloud Talk versions prior to 17.1.1
Description
The issue concerns the brute force protection of public talk conversation passwords in Nextcloud Talk, a chat module for the Nextcloud server platform. In affected versions, this protection can be bypassed due to an endpoint validating the conversation password without registering brute force attempts.
Recommendations
For versions prior to 15.0.8, upgrade to version 15.0.8.
For versions prior to 16.0.6, upgrade to version 16.0.6.
For versions prior to 17.1.1, upgrade to version 17.1.1.
Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Talk