4.3

CVE-2024-52513

EPSS 0.57%
Veröffentlicht 15.11.2024 18:15:30
Zuletzt bearbeitet 01.10.2025 18:04:28
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server's Attachments folder for Text app is accessible on "Files drop" and "Password protected" shares

Attachments folder for Text app is accessible on "Files drop" and "Password protected" shares

Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

NVD 9 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 25.0.0 < 25.0.13.13

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 26.0.0 < 26.0.13.9

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.11.9

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 28.0.0 < 28.0.11

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.11

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 29.0.0 < 29.0.8

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.8

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 30.0.0 < 30.0.1

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 30.0.0 < 30.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 28.0.0, < 28.0.11

Version >= 29.0.0, < 29.0.8

Version >= 30.0.0, < 30.0.1

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 25.0.0, < 25.0.13.13

Version >= 26.0.0, < 26.0.13.9

Version >= 27.0.0, < 27.1.11.9

Version >= 28.0.0, < 28.0.11

Version >= 29.0.0, < 29.0.8

Version >= 30.0.0, < 30.0.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.57%	0.686

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
security-advisories@github.com	2.6	1.2	1.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj

Vendor Advisory

https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548

Patch

https://github.com/nextcloud/text/pull/6485

Issue Tracking

https://hackerone.com/reports/2376900

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-52513

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52513

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52513

EUVD