CVE-2024-52517
MEDIUMNextcloud Server 25.0.0-25.0.13/28.0.0-28.0.11 - Sensitive Info Exposure via API
Title source: llmDescription
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x9q3-c7f8-3rcg
Issue Tracking x_refsource_misc
https://github.com/nextcloud/server/pull/48359
Patch x_refsource_misc
https://github.com/nextcloud/server/commit/c45ed55f959ff54f3ea23dd2ae1a5868a075c9fe
Issue Tracking x_refsource_misc
https://hackerone.com/reports/2554079
Scores
CVSS v3
4.6
EPSS
0.0059
EPSS Percentile
43.6%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
nextcloud/nextcloud_server
25.0.0 - 25.0.13.13
nextcloud/nextcloud_server
28.0.0 - 28.0.11
Published
Nov 15, 2024
Tracked Since
Feb 18, 2026