Cross-Site Scripting Vulnerability in Nextcloud Server
CVE-2024-52517

5.9MEDIUM

Key Information:

Vendor: Nextcloud
Status: Nextcloud Server
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-52517?

A vulnerability in Nextcloud Server allows stored global credentials to be exfiltrated when an attacker gains access to an active user session. When credentials are stored on the server, the API is capable of returning them, exposing sensitive data in plain text. To mitigate this vulnerability, users are advised to upgrade their installations to the latest versions: Nextcloud Server to 28.0.11, 29.0.8, or 30.0.1, and Nextcloud Enterprise Server to 25.0.13.13, 26.0.13.9, 27.1.11.9, along with other specified versions.

References

https://github.com/nextcloud/security-advisories/security...

https://github.com/nextcloud/server/pull/48359

https://github.com/nextcloud/server/commit/c45ed55f959ff5...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024