CVE-2023-45150— Inviting excessive long email addresses to a calendar event makes the Nextcloud server unresponsive
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-45150
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Inviting excessive long email addresses to a calendar event makes the Nextcloud server unresponsive
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nextcloud calendar is a calendar app for the Nextcloud server platform. Due to missing precondition checks the server was trying to validate strings of any length as email addresses even when megabytes of data were provided, eventually making the server busy and unresponsive. It is recommended that the Nextcloud Calendar app is upgraded to 4.4.4. The only workaround for users unable to upgrade is to disable the calendar app.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nextcloud 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud calendar 1.0.0版本及之后版本存在资源管理错误漏洞,该漏洞源于缺少先决条件检查,即使用户提供兆字节的数据,服务器也会尝试将任意长度的字符串验证为电子邮件地址,最终导致服务器繁忙且无响应。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| nextcloud | security-advisories | >= 1.0.0, < 4.4.4 | - |
II. Public POCs for CVE-2023-45150
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-45150
请登录查看更多情报信息。
- https://hackerone.com/reports/2058337x_refsource_MISC
- https://github.com/nextcloud/calendar/pull/5358x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2023-45150
Same Patch Batch · nextcloud · 2023-10-16 · 5 CVEs total
| CVE-2023-45151 | 6.5 MEDIUM | OAuth2 client_secret stored in plain text in the Nextcloud database |
| CVE-2023-45149 | 4.3 MEDIUM | Password of talk conversations can be bruteforced in Nextcloud |
| CVE-2023-45148 | 4.3 MEDIUM | Rate limiter not working reliable when Memcached is installed in Nextcloud |
| CVE-2023-45660 | 4.3 MEDIUM | Require strict cookies for image proxy requests in Nextcloud Mail |
IV. Related Vulnerabilities
Same product: security-advisories
- CVE-2026-28272
Kiteworks Email Protection Gateway has a Cross-site Scriptin - CVE-2026-28271
Kiteworks Core is vulnerable to Server-Side Request Forgery - CVE-2026-28270
Kiteworks Core has an Unrestricted Upload of File with Dange - CVE-2026-28269
Kiteworks Core has an OS Command Injection - CVE-2025-66558
Nextcloud Twofactor WebAuthn app was updated based on public
Same vendor: nextcloud
- CVE-2025-66558
Nextcloud Twofactor WebAuthn app was updated based on public - CVE-2025-66556
Nextcloud talk allows participants to blindly delete poll dr - CVE-2025-66554
Nextcloud Contacts vulnerable to Stored XSS in contacts app - CVE-2025-66549
Nextcloud Desktop discloses information when attempting to l - CVE-2025-66545
Nextcloud Groupfolders users with read-only permissions for
Same weakness: CWE-400
- CVE-2026-8187
Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption - CVE-2026-42343
FastGPT: Uncontrolled Resource Consumption leading to Sandbo - CVE-2026-42212
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-lau - CVE-2026-32686
Unbounded exponent in decimal enables unauthenticated DoS - CVE-2026-20188
Cisco Crosswork Network Controller and Cisco Network Service
V. Comments for CVE-2023-45150
No comments yet