CVE-2024-52523
MEDIUMNextcloud Server < 25.0.13.14 - Information Disclosure
Title source: ruleDescription
Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30.0.2.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-42w6-r45m-9w9j
Issue Tracking x_refsource_misc
https://github.com/nextcloud/server/pull/49009
Scores
CVSS v3
4.6
EPSS
0.0053
EPSS Percentile
67.4%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-125
CWE-200
Status
published
Products (2)
nextcloud/nextcloud_server
25.0.0 - 25.0.13.14
nextcloud/nextcloud_server
28.0.0 - 28.0.12
Published
Nov 15, 2024
Tracked Since
Feb 18, 2026