CVE-2024-52515

MEDIUM

Nextcloud Server <27.1.10,28.0.6,29.0.1 - Path Traversal

Title source: llm

Description

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.

References (4)

[Vendor Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hw8c-2236

[Issue Tracking] https://github.com/nextcloud/server/pull/45340

[Patch] https://github.com/nextcloud/server/commit/7e1c30f82a63fbea8c269e0eec38291377f32604

View Patch ZIP pw:eip

[Issue Tracking] https://hackerone.com/reports/2484499

Scores

CVSS v3 5.7

EPSS 0.0149

EPSS Percentile 81.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-706

Status published

Products (2)

nextcloud/nextcloud_server 24.0.0 - 24.0.12.15

nextcloud/nextcloud_server 27.0.0 - 27.1.10

Published Nov 15, 2024

Tracked Since Feb 18, 2026