CVE-2024-52508

CWE-200 — Information Exposure2 documents2 sources

Severity

8.1HIGH

EPSS

0.3%

top 46.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Mail Nextcloud Security-advisories

Timeline

PublishedNov 15

Description

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like [email protected] that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:LExploitability: 1.6 | Impact: 6.0

Affected Packages2 packages

▶NVDnextcloud/mail1.9.0 — 1.14.6+4

▶CVEListV5nextcloud/security-advisories5 versions+4

Patches

Patch: github.com ↗

🔴Vulnerability Details

CVEList

Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers↗2024-11-15

▶