CVE-2023-35172

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-35172
NextCloud Server and NextCloud Enterprise Server provide file storage for Nextcloud, a self-hosted productivity platform. In NextCloud Server versions 25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2, an attacker can bruteforce the password reset links. Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12, 22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this issue. No known workarounds are available.

8.7 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 Vendor Advisory
https://github.com/nextcloud/server/pull/38267 Issue Tracking
https://hackerone.com/reports/1987062 Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 Vendor Advisory
https://github.com/nextcloud/server/pull/38267 Issue Tracking
https://hackerone.com/reports/1987062 Permissions Required
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
History

21 Nov 2024, 08:08

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 9.1 		v2 : unknown
v3 : 8.7
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 - Vendor Advisory () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 - Vendor Advisory
References () https://github.com/nextcloud/server/pull/38267 - Issue Tracking () https://github.com/nextcloud/server/pull/38267 - Issue Tracking
References () https://hackerone.com/reports/1987062 - Permissions Required () https://hackerone.com/reports/1987062 - Permissions Required

05 Jul 2023, 13:34

Type Values Removed Values Added
CPE cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
First Time Nextcloud nextcloud Server
Nextcloud
References (MISC) https://github.com/nextcloud/server/pull/38267 - (MISC) https://github.com/nextcloud/server/pull/38267 - Issue Tracking
References (MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 - (MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mjf5-p765-qmr6 - Vendor Advisory
References (MISC) https://hackerone.com/reports/1987062 - (MISC) https://hackerone.com/reports/1987062 - Permissions Required

23 Jun 2023, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-06-23 21:15

Updated : 2024-11-21 08:08

NVD link : CVE-2023-35172

Mitre link : CVE-2023-35172

CVE.ORG link : CVE-2023-35172

JSON object : View

Products Affected

nextcloud

  • nextcloud_server
CWE
CWE-307

Improper Restriction of Excessive Authentication Attempts


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024