CVE-2024-52517

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

Published: Nov 15, 2024
Updated: May 4, 2025
CVE: CVE-2024-52517
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud_server	27.0.0	27.1.11.9
nextcloud / nextcloud_server	26.0.0	26.0.13.9
nextcloud / nextcloud_server	30.0.0	30.0.1
nextcloud / nextcloud_server	29.0.0	29.0.8
nextcloud / nextcloud_server	28.0.0	28.0.11
nextcloud / nextcloud_server	25.0.0	25.0.13.13

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x9q3-c7f8-3rcg
https://github.com/nextcloud/server/commit/c45ed55f959ff54f3ea23dd2ae1a5868a075c9fe
https://github.com/nextcloud/server/pull/48359
https://hackerone.com/reports/2554079

Vulnerability Database

289,599

CVE-2024-52517