FKIE_CVE-2024-52513

Vulnerability from fkie_nvd - Published: 2024-11-15 18:15 - Updated: 2026-06-17 08:07
Severity
2.6 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
References
security-advisories@github.comhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmjVendor Advisory
security-advisories@github.comhttps://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548Patch
security-advisories@github.comhttps://github.com/nextcloud/text/pull/6485Issue Tracking
security-advisories@github.comhttps://hackerone.com/reports/2376900Issue Tracking
Impacted products
Vendor Product Version
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
nextcloud nextcloud_server *
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 28.0.0, \u003c 28.0.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 29.0.0, \u003c 29.0.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 30.0.0, \u003c 30.0.1"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B0D006AC-629B-4A6D-9396-DCE62C3C8D80",
              "versionEndExcluding": "25.0.13.13",
              "versionStartIncluding": "25.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "6D45CC15-D185-4413-A23B-F6429C5B5C01",
              "versionEndExcluding": "26.0.13.9",
              "versionStartIncluding": "26.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "3333CF87-D08E-4B39-B783-F98D05B61F29",
              "versionEndExcluding": "27.1.11.9",
              "versionStartIncluding": "27.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "F3877670-62F5-4DC6-9DBA-1CAA0973EED5",
              "versionEndExcluding": "28.0.11",
              "versionStartIncluding": "28.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "4B8ACC01-5984-4DEF-866C-75D1E2B44108",
              "versionEndExcluding": "28.0.11",
              "versionStartIncluding": "28.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "C6ED3761-5F4D-41EF-A060-14B43621791D",
              "versionEndExcluding": "29.0.8",
              "versionStartIncluding": "29.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B32EC615-5F85-42EF-A2D9-540DB7AC3711",
              "versionEndExcluding": "29.0.8",
              "versionStartIncluding": "29.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "C7AA598E-F4CB-42C6-8540-6A6CCBA25AA6",
              "versionEndExcluding": "30.0.1",
              "versionStartIncluding": "30.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "E3D35A99-8C6A-4808-AE2C-0947113DBA58",
              "versionEndExcluding": "30.0.1",
              "versionStartIncluding": "30.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcloud Server is a self hosted personal cloud system. After receiving a \"Files drop\" or \"Password protected\" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1."
    },
    {
      "lang": "es",
      "value": "Nextcloud Server es un sistema de nube personal alojado por uno mismo. Despu\u00e9s de recibir un enlace para compartir con el mensaje \"Files drop\" o \"Password protected\", un usuario malintencionado pudo descargar archivos adjuntos a los que se hace referencia en archivos de texto sin proporcionar la contrase\u00f1a. Se recomienda actualizar Nextcloud Server a 28.0.11, 29.0.8 o 30.0.1 y Nextcloud Enterprise Server a 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 o 30.0.1."
    }
  ],
  "id": "CVE-2024-52513",
  "lastModified": "2026-06-17T08:07:21.943",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 2.6,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2024-52513",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2024-11-15T17:33:15.473323Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2024-11-15T18:15:30.157",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/nextcloud/text/pull/6485"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://hackerone.com/reports/2376900"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.