Vulnerability Description
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 23.0.0, < 23.0.12.6 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xVendor Advisory
- https://github.com/nextcloud/server/pull/35057Issue TrackingPatch
- https://hackerone.com/reports/1894653ExploitIssue TrackingThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xVendor Advisory
- https://github.com/nextcloud/server/pull/35057Issue TrackingPatch
- https://hackerone.com/reports/1894653ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2023-28847?
CVE-2023-28847 is a vulnerability with a CVSS score of 3.1 (LOW). Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Ent...
How severe is CVE-2023-28847?
CVE-2023-28847 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28847?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.