CVE-2024-52520

EPSS 1.33%
Veröffentlicht 15.11.2024 17:15:22
Zuletzt bearbeitet 05.09.2025 00:00:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server's link reference provider can be tricked into downloading bigger files than intended

Link reference provider can be tricked into downloading bigger files than intended

Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.

Mögliche Gegenmaßnahme

Server: * Change config setting `'reference_opengraph' => false,` in config.php

Enterprise Server: * Change config setting `'reference_opengraph' => false,` in config.php

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 5 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 27.0.0 < 27.1.11.8

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 28.0.0 < 28.0.10

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.10

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 29.0.0 < 29.0.7

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.7

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 28.0.0, < 28.0.10

Version >= 29.0.0, < 29.0.7

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 27.0.0, < 27.1.11.8

Version >= 28.0.0, < 28.0.10

Version >= 29.0.0, < 29.0.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.33%	0.796

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxqf-cfxw-mqmj

Vendor Advisory

https://github.com/nextcloud/server/commit/873c42b0f1383d5b6f2b7a481e1d9620ed30f44a

Patch

https://github.com/nextcloud/server/pull/47627

Patch

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxqf-cfxw-mqmj

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-52520

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52520

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52520

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-52520