CVE-2023-45149
MEDIUMNextcloud Talk 15.0.0-15.0.8 - Brute Force Protection Bypass via Password Validation Endpoint
Title source: llmDescription
Nextcloud talk is a chat module for the Nextcloud server platform. In affected versions brute force protection of public talk conversation passwords can be bypassed, as there was an endpoint validating the conversation password without registering bruteforce attempts. It is recommended that the Nextcloud Talk app is upgraded to 15.0.8, 16.0.6 or 17.1.1. There are no known workarounds for this vulnerability.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7rf8-pqmj-rpqv
Issue Tracking, Patch x_refsource_misc
https://github.com/nextcloud/spreed/pull/10545
Permissions Required x_refsource_misc
https://hackerone.com/reports/2094473
Scores
CVSS v3
4.3
EPSS
0.0018
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-307
Status
published
Products (1)
nextcloud/talk
15.0.0 - 15.0.8
Published
Oct 16, 2023
Tracked Since
Feb 18, 2026