CVE-2023-25161

CWE-284 — Improper Access Control2 documents2 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 44.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Security-advisories Nextcloud Nextcloud Server

Timeline

PublishedFeb 13

Description

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server24.0.0 — 24.0.8+2

▶CVEListV5nextcloud/security-advisories< 23.0.2+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Server's missing rate limiting on password reset functionality allows sending lots of emails↗2023-02-13

▶