Collaboration App, Twake (https://twake.app) before versions v2023.Q1.1223 does not restrict unauthenticated login attempts allowing for brute force attacks at the login page.

At the time of this report Twake has over 1 million Docker Pulls (source: https://github.com/linagora/Twake)

• https://www.cve.org/CVERecord?id=CVE-2023-1665

• https://nvd.nist.gov/vuln/detail/CVE-2023-1665

• https://www.huntr.dev/bounties/db8fcbab-6ef0-44ba-b5c6-3b0f17ca22a2/

Vulnerability discovered and reported by Kevin Suckiel (@0xsu3ks) January, 2023.