cbcvebase.
CVE-2024-52525
published 2024-11-15

CVE-2024-52525: Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.34%
25.7th percentile
Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Affected

6 ranges
VendorProductVersion rangeFixed in
nextcloudnextcloud_server>= 28.0.0 < 28.0.1228.0.12
nextcloudnextcloud_server>= 29.0.0 < 29.0.929.0.9
nextcloudnextcloud_server>= 30.0.0 < 30.0.230.0.2
nextcloudsecurity-advisories
nextcloudsecurity-advisories
nextcloudsecurity-advisories
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.