CVE-2024-52518

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
4.4 MEDIUM
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
VendorProductVersion
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.12
nextcloudnextcloud_server
28.0.0 ≤
𝑥
< 28.0.12
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.9
nextcloudnextcloud_server
29.0.0 ≤
𝑥
< 29.0.9
nextcloudnextcloud_server
30.0.0 ≤
𝑥
< 30.0.2
nextcloudnextcloud_server
30.0.0 ≤
𝑥
< 30.0.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vrhf-532w-99rg
https://github.com/nextcloud/server/pull/48373
https://github.com/nextcloud/server/pull/48788
https://github.com/nextcloud/server/pull/48992
https://hackerone.com/reports/2602973