CVE-2023-25818

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 24.0.10 Nextcloud Server versions prior to 25.0.4

Description The issue is related to the lack of authentication attempt limits in Nextcloud Server, allowing a malicious user to try to reset another user's password and then brute force the password reset token. Although brute forcing the 62^21 combinations for the password reset token would require significant compute resources, it is still a potential risk. There are no known real-world incidents or estimated numbers of affected devices mentioned.

Recommendations For versions prior to 24.0.10, upgrade to 24.0.10. For versions prior to 25.0.4, upgrade to 25.0.4. As a temporary workaround, consider implementing throttling for password reset attempts, similar to the fix introduced in commit 704eb3aa, until a patch is available.