CVE-2024-52520

Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.

CVSS v3 5.7 MEDIUM

5.7^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxqf-cfxw-mqmj
https://github.com/nextcloud/server/commit/873c42b0f1383d5b6f2b7a481e1d9620ed30f44a
https://github.com/nextcloud/server/pull/47627

Configurations

No configuration.

History

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) Nextcloud Server es un sistema de nube personal alojado por uno mismo. Debido a una solicitud HEAD preprogramada, el proveedor de referencia de enlaces podría verse engañado y descargar sitios web más grandes de lo previsto para encontrar datos de gráficos abiertos. Se recomienda actualizar Nextcloud Server a 28.0.10 o 29.0.7 y Nextcloud Enterprise Server a 27.1.11.8, 28.0.10 o 29.0.7.

15 Nov 2024, 17:35

Type	Values Removed	Values Added
CWE		CWE-79

15 Nov 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-15 17:15

Updated : 2024-11-18 17:11

NVD link : CVE-2024-52520

Mitre link : CVE-2024-52520

CVE.ORG link : CVE-2024-52520

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.7 /10