Session Hijack Enables External Storage Changes in Nextcloud 28.0.11
CVE-2024-52518 Published on November 15, 2024
Nextcloud Server is missing password confirmation when changing external storage options
Nextcloud Server is a self hosted personal cloud system. After an attacker got access to the session of a user or administrator, the attacker would be able to create, change or delete external storages without having to confirm the password. It is recommended that the Nextcloud Server is upgraded to 28.0.12, 29.0.9 or 30.0.2.
Vulnerability Analysis
CVE-2024-52518 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2024-52518 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2024-52518
stack.watch emails you whenever new vulnerabilities are published in Nextcloud Server or Nextcloud. Just hit a watch button to start following.
Affected Versions
nextcloud security-advisories:- Version >= 28.0.0, < 28.0.12 is affected.
- Version >= 29.0.0, < 29.0.9 is affected.
- Version >= 30.0.0, < 30.0.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.