CVE-2023-25818
MEDIUMNextcloud Server 21.0.0-21.0.9.10 and 24.0.0-24.0.10 - Brute Force Attack via Password Reset Token
Title source: llmDescription
Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp
Issue Tracking x_refsource_misc
https://github.com/nextcloud/server/pull/36489
Scores
CVSS v3
5.3
EPSS
0.0015
EPSS Percentile
34.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-307
Status
published
Products (2)
nextcloud/nextcloud_server
21.0.0 - 21.0.9.10
nextcloud/nextcloud_server
24.0.0 - 24.0.10
Published
Mar 27, 2023
Tracked Since
Feb 18, 2026