Sensitive Data Exposure in Nextcloud Server External Storage Feature
CVE-2024-52523

Currently unrated

Key Information:

Vendor: Nextcloud
Status: Nextcloud Server
Vendor: CVE Published:; 15 November 2024

What is CVE-2024-52523?

Nextcloud Server, a widely-used self-hosted personal cloud system, suffers from a vulnerability that pertains to its external storage feature. When an external storage service is set up with fixed credentials by a user or administrator, those credentials can inadvertently be exposed through the API. This exposure allows an attacker, who may have access to an active user session, to view sensitive information in plain text on the frontend interface. To mitigate this risk, it is essential to update the Nextcloud Server to versions 28.0.12, 29.0.9, or 30.0.2. Users of Nextcloud Enterprise Server should also upgrade to version 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9, or 30.0.2 as soon as possible.

References

https://github.com/nextcloud/security-advisories/security...

https://github.com/nextcloud/server/pull/49009

https://github.com/nextcloud/server/commit/8a13f284765bd4...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 15, 2024