PT-2024-9159 · Nextcloud+2 · Nextcloud Server+3
Tuyenee
·
Published
2024-09-26
·
Updated
2025-02-01
·
CVE-2024-52517
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Nextcloud Server versions prior to 28.0.11
Nextcloud Server versions prior to 29.0.8
Nextcloud Server versions prior to 30.0.1
Nextcloud Enterprise Server versions prior to 25.0.13.13
Nextcloud Enterprise Server versions prior to 26.0.13.9
Nextcloud Enterprise Server versions prior to 27.1.11.9
Nextcloud Enterprise Server versions prior to 28.0.11
Nextcloud Enterprise Server versions prior to 29.0.8
Nextcloud Enterprise Server versions prior to 30.0.1
Description:
The issue is related to insufficient protection of service data in Nextcloud Server and Nextcloud Enterprise Server, allowing an attacker with access to an active user session to read stored "Global credentials" in plain text. The API returns these credentials and adds them to the frontend, making them accessible.
Recommendations:
Upgrade Nextcloud Server to version 28.0.11
Upgrade Nextcloud Server to version 29.0.8
Upgrade Nextcloud Server to version 30.0.1
Upgrade Nextcloud Enterprise Server to version 25.0.13.13
Upgrade Nextcloud Enterprise Server to version 26.0.13.9
Upgrade Nextcloud Enterprise Server to version 27.1.11.9
Upgrade Nextcloud Enterprise Server to version 28.0.11
Upgrade Nextcloud Enterprise Server to version 29.0.8
Upgrade Nextcloud Enterprise Server to version 30.0.1
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Enterprise Server
Nextcloud Server
Red Os