Missing brute force protection on OAuth2 API controller

Main / Missing brute force protection on OAuth2 API controller

Discription

## Description

### Impact

Missing protection allows an attacker to brute force the client secrets of configured OAuth2 clients.

### Patches

It is recommended that the Nextcloud Server is upgraded to 25.0.9, 26.0.4 or 27.0.1
It is recommended that the Nextcloud Enterprise Server is upgraded to22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4 or 27.0.1

### Workarounds

* No workaround available

### References

* [HackerOne]()
* [PullRequest]()

### For more information

If you have any questions or comments about this advisory:

* Create a post in [nextcloud/security-advisories]()
* Customers: Open a support ticket at [portal.nextcloud.com]()Read More

References

Back to Main

Subscribe for the latest news: