Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-52520

Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.

Published

2024-11-15T17:15:22.200

Last Modified

2025-09-05T00:00:50.437

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.7 (MEDIUM)

Weaknesses

Type: Secondary
CWE-400
Type: Secondary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 27.1.11.8	Yes
Application	nextcloud	nextcloud_server	< 28.0.10	Yes
Application	nextcloud	nextcloud_server	< 28.0.10	Yes
Application	nextcloud	nextcloud_server	< 29.0.7	Yes
Application	nextcloud	nextcloud_server	< 29.0.7	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxqf-cfxw-mqmj Vendor Advisory ([email protected])
https://github.com/nextcloud/server/commit/873c42b0f1383d5b6f2b7a481e1d9620ed30f44a Patch ([email protected])
https://github.com/nextcloud/server/pull/47627 Patch ([email protected])