CVE-2024-52509

medium

Description

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.

References

https://hackerone.com/reports/1878255

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862

https://github.com/nextcloud/mail/pull/9592

https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b

Details

Source: Mitre, NVD

Published: 2024-11-15

Updated: 2025-09-04

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.7

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00041