CVE-2024-52515

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 27.1.10 Nextcloud Server versions prior to 28.0.6 Nextcloud Server versions prior to 29.0.1 Nextcloud Enterprise Server versions prior to 24.0.12.15 Nextcloud Enterprise Server versions prior to 25.0.13.10 Nextcloud Enterprise Server versions prior to 26.0.13.4 Nextcloud Enterprise Server versions prior to 27.1.10 Nextcloud Enterprise Server versions prior to 28.0.6 Nextcloud Enterprise Server versions prior to 29.0.1

Description The issue is related to the SVG preview provider in Nextcloud Server, which is disabled by default. If an admin enables this feature, a malicious user could upload a manipulated SVG file that references other paths. This could allow the preview of the SVG to display the contents of another file instead, potentially leading to unauthorized access to confidential information.

Recommendations For Nextcloud Server versions prior to 27.1.10, upgrade to version 27.1.10 or later. For Nextcloud Server versions prior to 28.0.6, upgrade to version 28.0.6 or later. For Nextcloud Server versions prior to 29.0.1, upgrade to version 29.0.1 or later. For Nextcloud Enterprise Server versions prior to 24.0.12.15, upgrade to version 24.0.12.15 or later. For Nextcloud Enterprise Server versions prior to 25.0.13.10, upgrade to version 25.0.13.10 or later. For Nextcloud Enterprise Server versions prior to 26.0.13.4, upgrade to version 26.0.13.4 or later. For Nextcloud Enterprise Server versions prior to 27.1.10, upgrade to version 27.1.10 or later. For Nextcloud Enterprise Server versions prior to 28.0.6, upgrade to version 28.0.6 or later. For Nextcloud Enterprise Server versions prior to 29.0.1, upgrade to version 29.0.1 or later. As a temporary workaround, consider disabling the SVG preview provider until a patch is available.