CVE-2024-52518

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-52518

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52518.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52518

Aliases

GHSA-vrhf-532w-99rg

Published

2024-11-15T16:46:44.675Z

Modified

2025-12-01T17:52:10.533184Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Nextcloud Server is missing password confirmation when changing external storage options

Details

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52518.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

e15fcecaf0d382cebff924ec2b1f5319e130c0e8

Fixed

d52e850623bd7f9ea8d880a39e440d58e7145257

Database specific

{
    "versions": [
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

36ae775aa7c9af22bf33645a2d8807206ec6c85f

Fixed

b35875a225e754cb4fc60e9b1d45d4178ac59d6d

Database specific

{
    "versions": [
        {
            "introduced": "29.0.0"
        },
        {
            "fixed": "29.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

656488893e2175e19fbe273d76a5e16a598000c7

Fixed

c23cdf609c38966f00fd44866086767eb7d5f1b2

Database specific

{
    "versions": [
        {
            "introduced": "30.0.0"
        },
        {
            "fixed": "30.0.2"
        }
    ]
}

Affected versions

v28.*

v28.0.0

v28.0.1

v28.0.10

v28.0.10rc1

v28.0.11

v28.0.11rc1

v28.0.12rc1

v28.0.12rc2

v28.0.1rc1

v28.0.2

v28.0.2rc1

v28.0.2rc2

v28.0.2rc3

v28.0.2rc4

v28.0.2rc5

v28.0.3

v28.0.3rc1

v28.0.3rc2

v28.0.4

v28.0.4rc1

v28.0.5

v28.0.5rc1

v28.0.6

v28.0.6rc1

v28.0.7

v28.0.7rc1

v28.0.7rc2

v28.0.7rc3

v28.0.7rc4

v28.0.8

v28.0.8rc1

v28.0.9

v28.0.9rc1

v29.*

v29.0.0

v29.0.1

v29.0.1rc1

v29.0.2

v29.0.2rc1

v29.0.2rc2

v29.0.3

v29.0.3rc1

v29.0.3rc2

v29.0.3rc3

v29.0.3rc4

v29.0.4

v29.0.4rc1

v29.0.5

v29.0.5rc1

v29.0.6

v29.0.6rc1

v29.0.7

v29.0.7rc1

v29.0.8

v29.0.8rc1

v29.0.9rc1

v29.0.9rc2

v30.*

v30.0.0

v30.0.1

v30.0.1rc1

v30.0.1rc2

v30.0.2rc1

v30.0.2rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52518.json"