CVE-2023-25161

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-25161

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25161.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-25161

Aliases

GHSA-492h-596q-xr2f

Published

2023-02-13T20:22:32.743Z

Modified

2026-05-18T05:56:29.107607796Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Nextcloud Server's missing rate limiting on password reset functionality allows sending lots of emails

Details

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/25xxx/CVE-2023-25161.json"
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/server
Events: Introduced

5f37aacb3194d51503aaa3529ae8f676b32a25d7

Fixed

888ffa498d3a08bb32591704806ee90075b4bc20

Affected versions

v24.*

v24.0.0

v24.0.1

v24.0.1rc1

v24.0.2

v24.0.2rc1

v24.0.3

v24.0.3rc1

v24.0.3rc2

v24.0.4

v24.0.4rc1

v24.0.5

v24.0.5rc1

v24.0.6

v24.0.6rc1

v24.0.7

v24.0.7rc1

v24.0.8rc1

v24.0.8rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-25161.json"