5.7

CVE-2024-52509

Nextcloud Mail app does not respect download permissions in shares

Mail app does not respect download permissions in shares

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.
Mögliche Gegenmaßnahme
Mail: * Disable app mail
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudMail SwPlatformnextcloud Version >= 2.2.0 < 2.2.10
NextcloudMail SwPlatformnextcloud Version >= 3.6.0 < 3.6.2
NextcloudMail SwPlatformnextcloud Version >= 3.7.0 < 3.7.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Mail
Version >= 2.2.0, < 2.2.10
Version >= 3.6.0, < 3.6.2
Version >= 3.7.0, < 3.7.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.5% 0.389
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.7 2.1 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b
Patch
https://github.com/nextcloud/mail/pull/9592
Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862
Patch
Vendor Advisory
https://hackerone.com/reports/1878255
Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862
Third Party Advisory