Vulnerability Description
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 25.0.0, < 25.0.13.13 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5Vendor Advisory
- https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f154Patch
- https://github.com/nextcloud/text/pull/6485Issue Tracking
- https://hackerone.com/reports/2376900Issue Tracking
FAQ
What is CVE-2024-52513?
CVE-2024-52513 is a vulnerability with a CVSS score of 2.6 (LOW). Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text...
How severe is CVE-2024-52513?
CVE-2024-52513 has been rated LOW with a CVSS base score of 2.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52513?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.