CVE-2024-52513

CWE-200Information Exposure2 documents2 sources
Severity
4.3MEDIUM
EPSS
0.6%
top 31.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Nextcloud ServerNextcloud Security-advisories
Timeline
PublishedNov 15

Description

Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server25.0.025.0.13.13+5
CVEListV5nextcloud/security-advisories>= 28.0.0, < 28.0.11, >= 29.0.0, < 29.0.8, >= 30.0.0, < 30.0.1+2

Patches

Patch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Server's Attachments folder for Text app is accessible on "Files drop" and "Password protected" shares2024-11-15
CVE-2024-52513 (MEDIUM CVSS 4.3) | Nextcloud Server is a self hosted p | cvebase.io