Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-52525

Nextcloud Server is a self hosted personal cloud system. Under certain conditions the password of a user was stored unencrypted in the session data. The session data is encrypted before being saved in the session storage (Redis or disk), but it would allow a malicious process that gains access to the memory of the PHP process, to get access to the cleartext password of the user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Published

2024-11-15T17:15:23.150

Last Modified

2025-01-23T14:33:48.657

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 1.8 (LOW)

Weaknesses

Type: Primary
CWE-312

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 28.0.12	Yes
Application	nextcloud	nextcloud_server	< 28.0.12	Yes
Application	nextcloud	nextcloud_server	< 29.0.9	Yes
Application	nextcloud	nextcloud_server	< 29.0.9	Yes
Application	nextcloud	nextcloud_server	< 30.0.2	Yes
Application	nextcloud	nextcloud_server	< 30.0.2	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w7v5-mgxm-v6gm Vendor Advisory ([email protected])
https://github.com/nextcloud/server/commit/d25a0a2896a2a981939cacb8ee0d555feef22b3b Patch ([email protected])
https://github.com/nextcloud/server/pull/48915 Issue Tracking ([email protected])