CVE-2024-52513

Nextcloud Server is a self hosted personal cloud system. After receiving a "Files drop" or "Password protected" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

CVSS v3 2.6 LOW

2.6^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj	Vendor Advisory
https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548	Patch
https://github.com/nextcloud/text/pull/6485	Issue Tracking
https://hackerone.com/reports/2376900	Issue Tracking

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*
	cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::*

History

01 Oct 2025, 18:04

Type	Values Removed	Values Added
First Time		Nextcloud nextcloud Server Nextcloud
CWE		NVD-CWE-noinfo
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj - Vendor Advisory
References	~~() https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548 -~~	() https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548 - Patch
References	~~() https://github.com/nextcloud/text/pull/6485 -~~	() https://github.com/nextcloud/text/pull/6485 - Issue Tracking
References	~~() https://hackerone.com/reports/2376900 -~~	() https://hackerone.com/reports/2376900 - Issue Tracking
CPE		cpe:2.3:a:nextcloud:nextcloud_server:::::enterprise:::* cpe:2.3:a:nextcloud:nextcloud_server:::::-:::*

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal alojado por uno mismo. Después de recibir un enlace para compartir con el mensaje "Files drop" o "Password protected", un usuario malintencionado pudo descargar archivos adjuntos a los que se hace referencia en archivos de texto sin proporcionar la contraseña. Se recomienda actualizar Nextcloud Server a 28.0.11, 29.0.8 o 30.0.1 y Nextcloud Enterprise Server a 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 o 30.0.1.

15 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 18:15

Updated : 2025-10-01 18:04

NVD link : CVE-2024-52513

Mitre link : CVE-2024-52513

CVE.ORG link : CVE-2024-52513

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

2.6 /10