Vulnerability Details : CVE-2023-25161
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.
Vulnerability category: BypassGain privilege
Products affected by CVE-2023-25161
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:25.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-25161
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-25161
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST | |
3.7
|
LOW | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
2.2
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2023-25161
-
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-25161
-
https://hackerone.com/reports/1691195
HackerOnePermissions Required;Third Party Advisory
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f
Missing rate limiting on password reset functionality allows sending lots of emails · Advisory · nextcloud/security-advisories · GitHubVendor Advisory
-
https://github.com/nextcloud/server/pull/34632
Add rate limiting on lost password emails by come-nc · Pull Request #34632 · nextcloud/server · GitHubIssue Tracking;Patch
Jump to