PT-2024-9154 · Nextcloud+1 · Nextcloud Server+2
Tuyenee
·
Published
2024-09-02
·
Updated
2024-12-03
·
CVE-2024-52520
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:N/I:N/A:C |
Name of the Vulnerable Software and Affected Versions:
Nextcloud Server versions prior to 28.0.10
Nextcloud Server versions prior to 29.0.7
Nextcloud Enterprise Server versions prior to 27.1.11.8
Nextcloud Enterprise Server versions prior to 28.0.10
Nextcloud Enterprise Server versions prior to 29.0.7
Description:
The issue is related to a pre-flighted HEAD request that could trick the link reference provider into downloading larger websites than intended to find open-graph data. This could potentially lead to a denial of service.
Recommendations:
For Nextcloud Server versions prior to 28.0.10, upgrade to 28.0.10 or 29.0.7.
For Nextcloud Server versions prior to 29.0.7, upgrade to 29.0.7.
For Nextcloud Enterprise Server versions prior to 27.1.11.8, upgrade to 27.1.11.8, 28.0.10 or 29.0.7.
For Nextcloud Enterprise Server versions prior to 28.0.10, upgrade to 28.0.10 or 29.0.7.
For Nextcloud Enterprise Server versions prior to 29.0.7, upgrade to 29.0.7.
Exploit
Fix
Resource Exhaustion
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nextcloud Enterprise Server
Nextcloud Server
Red Os