{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52513", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-11T18:49:23.558Z", "datePublished": "2024-11-15T17:08:56.019Z", "dateUpdated": "2024-11-15T17:33:35.575Z"}, "containers": {"cna": {"title": "Nextcloud Server's Attachments folder for Text app is accessible on \"Files drop\" and \"Password protected\" shares", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj"}, {"name": "https://github.com/nextcloud/text/pull/6485", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/text/pull/6485"}, {"name": "https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548"}, {"name": "https://hackerone.com/reports/2376900", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/2376900"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": ">= 28.0.0, < 28.0.11", "status": "affected"}, {"version": ">= 29.0.0, < 29.0.8", "status": "affected"}, {"version": ">= 30.0.0, < 30.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T17:08:56.019Z"}, "descriptions": [{"lang": "en", "value": "Nextcloud Server is a self hosted personal cloud system. After receiving a \"Files drop\" or \"Password protected\" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1."}], "source": {"advisory": "GHSA-gxph-5m4j-pfmj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-15T17:33:15.473323Z", "id": "CVE-2024-52513", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T17:33:35.575Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B0D006AC-629B-4A6D-9396-DCE62C3C8D80", "versionEndExcluding": "25.0.13.13", "versionStartIncluding": "25.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6D45CC15-D185-4413-A23B-F6429C5B5C01", "versionEndExcluding": "26.0.13.9", "versionStartIncluding": "26.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "3333CF87-D08E-4B39-B783-F98D05B61F29", "versionEndExcluding": "27.1.11.9", "versionStartIncluding": "27.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "matchCriteriaId": "F3877670-62F5-4DC6-9DBA-1CAA0973EED5", "versionEndExcluding": "28.0.11", "versionStartIncluding": "28.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "4B8ACC01-5984-4DEF-866C-75D1E2B44108", "versionEndExcluding": "28.0.11", "versionStartIncluding": "28.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "matchCriteriaId": "C6ED3761-5F4D-41EF-A060-14B43621791D", "versionEndExcluding": "29.0.8", "versionStartIncluding": "29.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "B32EC615-5F85-42EF-A2D9-540DB7AC3711", "versionEndExcluding": "29.0.8", "versionStartIncluding": "29.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "matchCriteriaId": "C7AA598E-F4CB-42C6-8540-6A6CCBA25AA6", "versionEndExcluding": "30.0.1", "versionStartIncluding": "30.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "E3D35A99-8C6A-4808-AE2C-0947113DBA58", "versionEndExcluding": "30.0.1", "versionStartIncluding": "30.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Server is a self hosted personal cloud system. After receiving a \"Files drop\" or \"Password protected\" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1."}, {"lang": "es", "value": "Nextcloud Server es un sistema de nube personal alojado por uno mismo. Despu\u00e9s de recibir un enlace para compartir con el mensaje \"Files drop\" o \"Password protected\", un usuario malintencionado pudo descargar archivos adjuntos a los que se hace referencia en archivos de texto sin proporcionar la contrase\u00f1a. Se recomienda actualizar Nextcloud Server a 28.0.11, 29.0.8 o 30.0.1 y Nextcloud Enterprise Server a 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 o 30.0.1."}], "id": "CVE-2024-52513", "lastModified": "2025-10-01T18:04:28.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-15T18:15:30.157", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/nextcloud/text/pull/6485"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://hackerone.com/reports/2376900"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}