CVE-2024-52518

CWE-287 — Improper Authentication CWE-863 — Incorrect Authorization2 documents2 sources

Severity

5.4MEDIUM

EPSS

0.1%

top 69.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Server Nextcloud Security-advisories

Timeline

PublishedNov 15

Description

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.7 | Impact: 3.6

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server28.0.0 — 28.0.12+2

▶CVEListV5nextcloud/security-advisories>= 28.0.0, < 28.0.12, >= 29.0.0, < 29.0.9, >= 30.0.0, < 30.0.2+2

🔴Vulnerability Details

CVEList

Nextcloud Server is missing password confirmation when changing external storage options↗2024-11-15

▶