Home > Vulnerability Database > CVE-2023-25818

Mend.io Vulnerability Database

CVE-2023-25818

Good to know:

Date: March 27, 2023

Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.

Language: PHP

Severity Score

7.1

Related Resources (5)

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp

Url: https://github.com/nextcloud/server/pull/36489

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-25818

Url: https://github.com/nextcloud/server/pull/36489/commits/704eb3aa6cecc0a646f5cca4290b595f493f9ed3

Url: https://www.mend.io/vulnerability-database/CVE-2023-25818

Severity Score

7.1

Weakness Type (CWE)

Improper Restriction of Excessive Authentication Attempts

CWE-307

Top Fix

Upgrade Version

Upgrade to version v24.0.10,v25.0.4

Learn More

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-25818

Good to know:

Date: March 27, 2023

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?