CVE-2024-37885 LOW

CVE-2024-37885: Code injection in Nextcloud Desktop Client for macOS

Vendor Nextcloud
Product security-advisories
Weakness CWE-94 · Code injection
Published June 14, 2024
Last update August 2, 2024

CVSS base score

3.8/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.

Key dates

02Disclosure timeline

June 14, 2024 CVE published
August 2, 2024 Record updated