CVE-2024-22404

MEDIUM

Nextcloud Files Zip <1.2.1-1.5.0 - Info Disclosure

Title source: llm

Description

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud. In affected versions users can download "view-only" files by zipping the complete folder. It is recommended that the Files ZIP app is upgraded to 1.2.1, 1.4.1, or 1.5.0. Users unable to upgrade should disable the file zip app.

References (3)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vhj3-mch4-67fq

[Patch] https://github.com/nextcloud/files_zip/commit/43204539d517a13e945b90652718e2a213f46820

View Patch ZIP pw:eip

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/2247457

Scores

CVSS v3 4.1

EPSS 0.0067

EPSS Percentile 71.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-281

Status published

Products (2)

nextcloud/zipper 1.4.0

nextcloud/zipper < 1.2.1

Published Jan 18, 2024

Tracked Since Feb 18, 2026