NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available.
References
| Link | Resource |
|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 | Vendor Advisory |
| https://github.com/nextcloud/server/pull/38267 | Issue Tracking |
| https://hackerone.com/reports/1987062 | Permissions Required |
Configurations
Configuration 1 (hide)
|
History
05 Jul 2023, 13:34
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Nextcloud nextcloud Server
Nextcloud |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
| CPE | cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:* cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:* |
|
| References | (MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 - Vendor Advisory | |
| References | (MISC) https://github.com/nextcloud/server/pull/38267 - Issue Tracking | |
| References | (MISC) https://hackerone.com/reports/1987062 - Permissions Required |
23 Jun 2023, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-06-23 21:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-35172
Mitre link : CVE-2023-35172
CVE.ORG link : CVE-2023-35172
JSON object : View
Products Affected
nextcloud
- nextcloud_server
CWE
CWE-307
Improper Restriction of Excessive Authentication Attempts