Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-52518

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Published

2024-11-15T17:15:21.543

Last Modified

2025-01-23T15:15:58.413

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-287
Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 28.0.12	Yes
Application	nextcloud	nextcloud_server	< 28.0.12	Yes
Application	nextcloud	nextcloud_server	< 29.0.9	Yes
Application	nextcloud	nextcloud_server	< 29.0.9	Yes
Application	nextcloud	nextcloud_server	< 30.0.2	Yes
Application	nextcloud	nextcloud_server	< 30.0.2	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vrhf-532w-99rg Vendor Advisory ([email protected])
https://github.com/nextcloud/server/pull/48373 Issue Tracking ([email protected])
https://github.com/nextcloud/server/pull/48788 Issue Tracking ([email protected])
https://github.com/nextcloud/server/pull/48992 Issue Tracking ([email protected])
https://hackerone.com/reports/2602973 Permissions Required ([email protected])