| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Insufficient validation |
|
| Description |
| + |
In Nextcloud Server versions prior to 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. |
|
| References |
| + |
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j |
| + |
https://hackerone.com/reports/1214158 |
| + |
https://github.com/nextcloud/server/pull/27329 |
| + |
https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78 |
|