Nextcloud Mail Auto-Configuration Information Disclosure Vulnerability
CVE-2024-52508 Published on November 15, 2024

Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

NVD

Vulnerability Analysis

CVE-2024-52508 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
LOW

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2024-52508 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2024-52508

Want to know whenever a new CVE is published for Nextcloud Mail? stack.watch will email you.

Nextcloud Mail
 

Affected Versions

nextcloud security-advisories: nextcloud_mail:

Exploit Probability

EPSS
0.22%
Percentile
44.26%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.