CVE-2024-52515

medium

Description

Nextcloud Server is a self hosted personal cloud system. After an admin enables the default-disabled SVG preview provider, a malicious user could upload a manipulated SVG file referencing paths. If the file would exist the preview of the SVG would preview the other file instead. It is recommended that the Nextcloud Server is upgraded to 27.1.10, 28.0.6 or 29.0.1 and Nextcloud Enterprise Server is upgraded to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6 or 29.0.1.

References

https://hackerone.com/reports/2484499

https://github.com/nextcloud/server/pull/45340

https://github.com/nextcloud/server/commit/7e1c30f82a63fbea8c269e0eec38291377f32604

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5m5g-hw8c-2236

Details

Source: Mitre, NVD

Published: 2024-11-15

Updated: 2025-10-01

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00058