PT-2024-9160 · Nextcloud+2 · Nextcloud Server+3

Tuyenee

·

Published

2024-10-31

·

Updated

2025-10-01

·

CVE-2024-52523

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions: Nextcloud Server versions prior to 28.0.12 Nextcloud Server versions prior to 29.0.9 Nextcloud Server versions prior to 30.0.2 Nextcloud Enterprise Server versions prior to 25.0.13.14 Nextcloud Enterprise Server versions prior to 26.0.13.10 Nextcloud Enterprise Server versions prior to 27.1.11.10 Nextcloud Enterprise Server versions prior to 28.0.12 Nextcloud Enterprise Server versions prior to 29.0.9 Nextcloud Enterprise Server versions prior to 30.0.2
Description: The issue concerns insufficient protection of service data in Nextcloud Server and Nextcloud Enterprise Server, allowing an attacker with access to an active user session to read external storage credentials in plain text. This occurs when a user or administrator sets up external storage with fixed credentials, and the API returns these credentials, adding them to the frontend.
Recommendations: For Nextcloud Server versions prior to 28.0.12, upgrade to version 28.0.12 or later. For Nextcloud Server versions prior to 29.0.9, upgrade to version 29.0.9 or later. For Nextcloud Server versions prior to 30.0.2, upgrade to version 30.0.2 or later. For Nextcloud Enterprise Server versions prior to 25.0.13.14, upgrade to version 25.0.13.14 or later. For Nextcloud Enterprise Server versions prior to 26.0.13.10, upgrade to version 26.0.13.10 or later. For Nextcloud Enterprise Server versions prior to 27.1.11.10, upgrade to version 27.1.11.10 or later. For Nextcloud Enterprise Server versions prior to 28.0.12, upgrade to version 28.0.12 or later. For Nextcloud Enterprise Server versions prior to 29.0.9, upgrade to version 29.0.9 or later. For Nextcloud Enterprise Server versions prior to 30.0.2, upgrade to version 30.0.2 or later.

Exploit

Fix

Out of bounds Read

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-125CWE-200

Related Identifiers

ALT-PU-2025-1663
ALT-PU-2025-1855
ALT-PU-2025-2137
BDU:2024-10847
CVE-2024-52523
GHSA-42W6-R45M-9W9J

Affected Products

Alt Linux
Nextcloud Enterprise Server
Nextcloud Server
Red Os