CVE-2024-52518

medium

Description

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

References

https://hackerone.com/reports/2602973

https://github.com/nextcloud/server/pull/48992

https://github.com/nextcloud/server/pull/48788

https://github.com/nextcloud/server/pull/48373

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vrhf-532w-99rg

Details

Source: Mitre, NVD

Published: 2024-11-15

Updated: 2025-01-23

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Severity: Medium

EPSS

EPSS: 0.00046