Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-52509

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.

Published

2024-11-15T18:15:29.280

Last Modified

2025-09-04T23:55:37.360

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

Weaknesses

Type: Secondary
CWE-284
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	mail	< 2.2.10	Yes
Application	nextcloud	mail	< 3.6.2	Yes
Application	nextcloud	mail	< 3.7.2	Yes

References

https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b Patch ([email protected])
https://github.com/nextcloud/mail/pull/9592 Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862 Patch, Vendor Advisory ([email protected])
https://hackerone.com/reports/1878255 Issue Tracking ([email protected])