CVE-2024-52518

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vrhf-532w-99rg	Vendor Advisory
https://github.com/nextcloud/server/pull/48373	Issue Tracking
https://github.com/nextcloud/server/pull/48788	Issue Tracking
https://github.com/nextcloud/server/pull/48992	Issue Tracking
https://hackerone.com/reports/2602973	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*

History

23 Jan 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vrhf-532w-99rg -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vrhf-532w-99rg - Vendor Advisory
References	~~() https://github.com/nextcloud/server/pull/48373 -~~	() https://github.com/nextcloud/server/pull/48373 - Issue Tracking
References	~~() https://github.com/nextcloud/server/pull/48788 -~~	() https://github.com/nextcloud/server/pull/48788 - Issue Tracking
References	~~() https://github.com/nextcloud/server/pull/48992 -~~	() https://github.com/nextcloud/server/pull/48992 - Issue Tracking
References	~~() https://hackerone.com/reports/2602973 -~~	() https://hackerone.com/reports/2602973 - Permissions Required
CPE		cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::* cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
CWE		CWE-863
First Time		Nextcloud nextcloud Server Nextcloud

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal alojado por el usuario. Una vez que un atacante obtiene acceso a la sesión de un usuario o administrador, puede crear, cambiar o eliminar almacenamientos externos sin tener que confirmar la contraseña. Se recomienda actualizar Nextcloud Server a 28.0.12, 29.0.9 o 30.0.2.

15 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 17:15

Updated : 2025-01-23 15:15

NVD link : CVE-2024-52518

Mitre link : CVE-2024-52518

CVE.ORG link : CVE-2024-52518

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-287

Improper Authentication

CWE-863

Incorrect Authorization

4.4 /10