Main Vulnerability Database Vulnerabilities #VU103056

Information disclosure in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52523

Published: January 20, 2025

Vulnerability identifier: #VU103056

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-52523

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server
Nextcloud Enterprise Server

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to custom defined credentials of external storages are sent back to the frontend. An administrator with physical access can gain unauthorized access to sensitive information on the system.

How to mitigate CVE-2024-52523

Install updates from vendor's website.

Sources

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-42w6-r45m-9w9j
https://github.com/nextcloud/server/pull/49009
https://github.com/nextcloud/server/commit/8a13f284765bd4606984e7d925c32ae6e82b8a27

Information disclosure in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52523

Detailed vulnerability description

How to mitigate CVE-2024-52523

Sources

Please verify you're human