CVE-2024-52523

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-52523

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52523.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-52523

Aliases

GHSA-42w6-r45m-9w9j

Published

2024-11-15T16:35:39.424Z

Modified

2026-03-12T03:42:01.252713Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Nextcloud Server Custom defined credentials of external storages are sent back to the frontend

Details

Nextcloud Server is a self hosted personal cloud system. After setting up a user or administrator defined external storage with fixed credentials, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2 and Nextcloud Enterprise Server is upgraded to 25.0.13.14, 26.0.13.10, 27.1.11.10, 28.0.12, 29.0.9 or 30.0.2.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52523.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-200"
    ]
}

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

e15fcecaf0d382cebff924ec2b1f5319e130c0e8

Fixed

d52e850623bd7f9ea8d880a39e440d58e7145257

Database specific

{
    "versions": [
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

36ae775aa7c9af22bf33645a2d8807206ec6c85f

Fixed

b35875a225e754cb4fc60e9b1d45d4178ac59d6d

Database specific

{
    "versions": [
        {
            "introduced": "29.0.0"
        },
        {
            "fixed": "29.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

656488893e2175e19fbe273d76a5e16a598000c7

Fixed

c23cdf609c38966f00fd44866086767eb7d5f1b2

Database specific

{
    "versions": [
        {
            "introduced": "30.0.0"
        },
        {
            "fixed": "30.0.2"
        }
    ]
}

Affected versions

v28.*

v28.0.0

v28.0.1

v28.0.10

v28.0.10rc1

v28.0.11

v28.0.11rc1

v28.0.12rc1

v28.0.12rc2

v28.0.1rc1

v28.0.2

v28.0.2rc1

v28.0.2rc2

v28.0.2rc3

v28.0.2rc4

v28.0.2rc5

v28.0.3

v28.0.3rc1

v28.0.3rc2

v28.0.4

v28.0.4rc1

v28.0.5

v28.0.5rc1

v28.0.6

v28.0.6rc1

v28.0.7

v28.0.7rc1

v28.0.7rc2

v28.0.7rc3

v28.0.7rc4

v28.0.8

v28.0.8rc1

v28.0.9

v28.0.9rc1

v29.*

v29.0.0

v29.0.1

v29.0.1rc1

v29.0.2

v29.0.2rc1

v29.0.2rc2

v29.0.3

v29.0.3rc1

v29.0.3rc2

v29.0.3rc3

v29.0.3rc4

v29.0.4

v29.0.4rc1

v29.0.5

v29.0.5rc1

v29.0.6

v29.0.6rc1

v29.0.7

v29.0.7rc1

v29.0.8

v29.0.8rc1

v29.0.9rc1

v29.0.9rc2

v30.*

v30.0.0

v30.0.1

v30.0.1rc1

v30.0.1rc2

v30.0.2rc1

v30.0.2rc2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52523.json"