Vulnerability Description
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | < 23.0.12 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-5Vendor Advisory
- https://github.com/nextcloud/server/pull/34632Issue TrackingPatch
- https://hackerone.com/reports/1691195Permissions RequiredThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-5Vendor Advisory
- https://github.com/nextcloud/server/pull/34632Issue TrackingPatch
- https://hackerone.com/reports/1691195Permissions RequiredThird Party Advisory
FAQ
What is CVE-2023-25161?
CVE-2023-25161 is a vulnerability with a CVSS score of 3.7 (LOW). Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing r...
How severe is CVE-2023-25161?
CVE-2023-25161 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-25161?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.