fkie_cve-2024-52509
Vulnerability from fkie_nvd
Published
2024-11-15 18:15
Modified
2024-11-18 17:11
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Summary
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2.
References
security-advisories@github.comhttps://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b
security-advisories@github.comhttps://github.com/nextcloud/mail/pull/9592
security-advisories@github.comhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862
security-advisories@github.comhttps://hackerone.com/reports/1878255
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2."
    },
    {
      "lang": "es",
      "value": "Nextcloud Mail es la aplicaci\u00f3n de correo de Nextcloud, una plataforma de productividad alojada en servidores propios. La aplicaci\u00f3n de correo de Nextcloud permit\u00eda por error adjuntar archivos compartidos sin permisos de descarga como archivos adjuntos. Esto permit\u00eda a los usuarios enviarse los archivos a s\u00ed mismos y luego descargarlos desde sus clientes de correo. Se recomienda actualizar Nextcloud Mail a la versi\u00f3n 2.2.10, 3.6.2 o 3.7.2."
    }
  ],
  "id": "CVE-2024-52509",
  "lastModified": "2024-11-18T17:11:56.587",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-15T18:15:29.280",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nextcloud/mail/pull/9592"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://hackerone.com/reports/1878255"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-284"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.