CVE-2024-37885
LOWNextcloud Desktop < 3.12.0 - Code Injection via DYLD_INSERT_LIBRARIES
Title source: llmDescription
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
Patch x_refsource_misc
https://github.com/nextcloud/desktop/pull/6378
Issue Tracking x_refsource_misc
https://hackerone.com/reports/2307625
Scores
CVSS v3
3.8
EPSS
0.0013
EPSS Percentile
31.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-94
Status
published
Products (1)
nextcloud/desktop
< 3.12.0
Published
Jun 14, 2024
Tracked Since
Feb 18, 2026