CVE-2024-52513

Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
GitHub_MCNA
2.6 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 28%
VendorProductVersion
nextcloudnextcloud_server
25.0.0 ≤
𝑥
< 25.0.13.13
nextcloudnextcloud_server
26.0.0 ≤
𝑥
< 26.0.13.9
nextcloudnextcloud_server
27.0.0 ≤
𝑥
< 27.1.11.9
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.11
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.11
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.8
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.8
nextcloudnextcloud_server
30.0.0 ≤
𝑥
< 30.0.1
nextcloudnextcloud_server
30.0.0 ≤
𝑥
< 30.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj
https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548
https://github.com/nextcloud/text/pull/6485
https://hackerone.com/reports/2376900