CVE-2023-25818

Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit 704eb3aa password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.

Published: Mar 27, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-25818
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CWEs:

CWE-307

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud_server	23.0.0	23.0.12.5
nextcloud / nextcloud_server	25.0.0	25.0.4
nextcloud / nextcloud_server	24.0.0	24.0.10
nextcloud / nextcloud_server	21.0.0	21.0.9.10
nextcloud / nextcloud_server	22.0.0	22.2.10.10

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp
https://github.com/nextcloud/server/pull/36489
https://github.com/nextcloud/server/pull/36489/commits/704eb3aa6cecc0a646f5cca4290b595f493f9ed3

Vulnerability Database

289,599

CVE-2023-25818