CVE-2024-52508

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b	Patch
https://github.com/nextcloud/mail/pull/9964	Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc	Vendor Advisory
https://hackerone.com/reports/2508422	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:mail::::::nextcloud::*
	cpe:2.3:a:nextcloud:mail::::::nextcloud::*
	cpe:2.3:a:nextcloud:mail::::::nextcloud::*
	cpe:2.3:a:nextcloud:mail::::::nextcloud::*
	cpe:2.3:a:nextcloud:mail::::::nextcloud::*

History

01 Oct 2025, 18:10

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b -~~	() https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b - Patch
References	~~() https://github.com/nextcloud/mail/pull/9964 -~~	() https://github.com/nextcloud/mail/pull/9964 - Issue Tracking
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc - Vendor Advisory
References	~~() https://hackerone.com/reports/2508422 -~~	() https://hackerone.com/reports/2508422 - Issue Tracking
First Time		Nextcloud mail Nextcloud
CPE		cpe:2.3:a:nextcloud:mail::::::nextcloud::*
CWE		NVD-CWE-noinfo

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Mail es la aplicación de correo de Nextcloud, una plataforma de productividad alojada en servidores propios. Cuando un usuario intenta configurar una cuenta de correo con una dirección de correo electrónico como user@example.tld que no admite la configuración automática, y un atacante logra registrar autoconfig.tld, los detalles de correo electrónico utilizados se envían al servidor del atacante. Se recomienda que la aplicación Nextcloud Mail se actualice a 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 o 4.0.0.

15 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 18:15

Updated : 2025-10-01 18:10

NVD link : CVE-2024-52508

Mitre link : CVE-2024-52508

CVE.ORG link : CVE-2024-52508

JSON object : View

Products Affected

nextcloud

mail

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

8.2 /10