SVG File Upload Vulnerability in Nextcloud Server
CVE-2024-52515

Currently unrated

Key Information:

Vendor: Nextcloud
Status: Nextcloud Server
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-52515?

A vulnerability exists in the Nextcloud Server related to SVG file previews. When an administrator activates the SVG preview provider, a malicious actor can exploit it by uploading a crafted SVG file that references unauthorized paths. If successful, the manipulated SVG can display content from other files, exposing sensitive information. To mitigate this risk, users are advised to upgrade their Nextcloud Server to versions 27.1.10, 28.0.6, or 29.0.1, and the Nextcloud Enterprise Server to versions 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6, or 29.0.1.

References

https://github.com/nextcloud/security-advisories/security...

https://github.com/nextcloud/server/pull/45340

https://github.com/nextcloud/server/commit/7e1c30f82a63fb...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024