PT-2024-35352 · Nextcloud+1 · Nextcloud Server+2
Lukasreschke
·
Published
2024-11-15
·
Updated
2025-10-01
·
CVE-2024-52513
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 28.0.11
Nextcloud Server versions prior to 29.0.8
Nextcloud Server versions prior to 30.0.1
Nextcloud Enterprise Server versions prior to 25.0.13.13
Nextcloud Enterprise Server versions prior to 26.0.13.9
Nextcloud Enterprise Server versions prior to 27.1.11.9
Nextcloud Enterprise Server versions prior to 28.0.11
Nextcloud Enterprise Server versions prior to 29.0.8
Nextcloud Enterprise Server versions prior to 30.0.1
Description
The issue allows a malicious user to download attachments referenced in text files without providing a password after receiving a "Files drop" or "Password protected" share link.
Recommendations
Upgrade Nextcloud Server to version 28.0.11
Upgrade Nextcloud Server to version 29.0.8
Upgrade Nextcloud Server to version 30.0.1
Upgrade Nextcloud Enterprise Server to version 25.0.13.13
Upgrade Nextcloud Enterprise Server to version 26.0.13.9
Upgrade Nextcloud Enterprise Server to version 27.1.11.9
Upgrade Nextcloud Enterprise Server to version 28.0.11
Upgrade Nextcloud Enterprise Server to version 29.0.8
Upgrade Nextcloud Enterprise Server to version 30.0.1
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server