Password of talk conversations can be bruteforced
Medium
Vulnerability Details
## Steps To Reproduce:
1. Instead of sending a POST to the authentication endpoint, the password can be added as a parameter on the GET request of the frontpage.
2. A failure will not log a bruteforce attempt, but a successful password will no longer bring up the login page
## Supporting Material/References:
Found while looking into https://support.nextcloud.com/#ticket/zoom/47814
## Impact
Brute force protection of public talk conversation passwords can be bypassed.
Actions
View on HackerOneReport Stats
- Report ID: 2094473
- State: Closed
- Substate: resolved
- Upvotes: 27