Main Vulnerability Database Vulnerabilities #VU103062

Cleartext storage of sensitive information in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52525

Published: January 20, 2025

Vulnerability identifier: #VU103062

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-52525

CWE-ID: CWE-312

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server
Nextcloud Enterprise Server

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the user password is available in memory of the PHP process. An administrator with physical access can gain access sensitive information on the target system.

How to mitigate CVE-2024-52525

Install updates from vendor's website.

Sources

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w7v5-mgxm-v6gm
https://github.com/nextcloud/server/pull/48915
https://github.com/nextcloud/server/commit/d25a0a2896a2a981939cacb8ee0d555feef22b3b

Cleartext storage of sensitive information in Nextcloud Server and Nextcloud Enterprise Server - CVE-2024-52525

Detailed vulnerability description

How to mitigate CVE-2024-52525

Sources

Please verify you're human