Vulnerability Description
Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | >= 24.0.0, < 24.0.12.15 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hVendor Advisory
- https://github.com/nextcloud/server/commit/7e1c30f82a63fbea8c269e0eec38291377f32Patch
- https://github.com/nextcloud/server/pull/45340Issue Tracking
- https://hackerone.com/reports/2484499Issue Tracking
FAQ
What is CVE-2024-52515?
CVE-2024-52515 is a vulnerability with a CVSS score of 5.7 (MEDIUM). Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If th...
How severe is CVE-2024-52515?
CVE-2024-52515 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52515?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.