CVE-2024-52518 MEDIUM

CVE-2024-52518: Nextcloud Server is missing password confirmation when changing external storage options

Vendor Nextcloud
Product security-advisories
Weakness CWE-287 · Improper authentication
Published November 15, 2024
Last update November 15, 2024

CVSS base score

4.4/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 15, 2024 Record updated