{"id":"CVE-2024-52513","summary":"Nextcloud Server's Attachments folder for Text app is accessible on \"Files drop\" and \"Password protected\" shares","details":"Nextcloud Server is a self hosted personal cloud system. After receiving a \"Files drop\" or \"Password protected\" share link a malicious user was able to download attachments that are referenced in Text files without providing the password. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.","aliases":["GHSA-gxph-5m4j-pfmj"],"modified":"2026-04-14T04:48:49.167502Z","published":"2024-11-15T17:08:56.019Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52513.json","unresolved_ranges":[{"extracted_events":[{"introduced":"28.0.0"},{"fixed":"28.0.11"},{"introduced":"29.0.0"},{"fixed":"29.0.8"},{"introduced":"30.0.0"},{"fixed":"30.0.1"}],"source":"AFFECTED_FIELD"}],"cwe_ids":["CWE-200"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://hackerone.com/reports/2376900"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52513.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gxph-5m4j-pfmj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52513"},{"type":"FIX","url":"https://github.com/nextcloud/text/commit/ca24b25c93b81626b4e457c260243edeab5f1548"},{"type":"FIX","url":"https://github.com/nextcloud/text/pull/6485"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/server","events":[{"introduced":"e15fcecaf0d382cebff924ec2b1f5319e130c0e8"},{"fixed":"c3f0921c1ec2bd99ed854e316e488b897ac251fa"},{"introduced":"e15fcecaf0d382cebff924ec2b1f5319e130c0e8"},{"fixed":"c3f0921c1ec2bd99ed854e316e488b897ac251fa"},{"introduced":"36ae775aa7c9af22bf33645a2d8807206ec6c85f"},{"fixed":"c553bc228e1e625920faf49a2eb4e1046f9c83c2"},{"introduced":"36ae775aa7c9af22bf33645a2d8807206ec6c85f"},{"fixed":"c553bc228e1e625920faf49a2eb4e1046f9c83c2"},{"introduced":"656488893e2175e19fbe273d76a5e16a598000c7"},{"fixed":"fd746c69f4e5122aebe3e136837473a60fccd3b3"},{"introduced":"656488893e2175e19fbe273d76a5e16a598000c7"},{"fixed":"fd746c69f4e5122aebe3e136837473a60fccd3b3"}],"database_specific":{"versions":[{"introduced":"28.0.0"},{"fixed":"28.0.11"},{"introduced":"28.0.0"},{"fixed":"28.0.11"},{"introduced":"29.0.0"},{"fixed":"29.0.8"},{"introduced":"29.0.0"},{"fixed":"29.0.8"},{"introduced":"30.0.0"},{"fixed":"30.0.1"},{"introduced":"30.0.0"},{"fixed":"30.0.1"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/text","events":[{"introduced":"0"},{"fixed":"ca24b25c93b81626b4e457c260243edeab5f1548"}]}],"versions":["26.0.0-alpha.5","v1.0.0","v1.0.0-alpha1","v1.0.0-alpha2","v1.0.1","v1.0.2","v19.0.0RC1","v19.0.0RC2","v19.0.0beta1","v19.0.0beta2","v19.0.0beta3","v19.0.0beta4","v19.0.0beta5","v19.0.0beta6","v19.0.0beta7","v20.0.0RC1","v20.0.0beta1","v20.0.0beta2","v20.0.0beta3","v20.0.0beta4","v21.0.0beta1","v21.0.0beta2","v21.0.0beta3","v21.0.0beta4","v21.0.0beta5","v21.0.0beta6","v21.0.0beta7","v21.0.0beta8","v22.0.0beta1","v22.0.0beta2","v22.0.0beta3","v22.0.0beta4","v22.0.0beta5","v22.0.0rc1","v23.0.0beta1","v23.0.0beta2","v23.0.0beta3","v24.0.0beta1","v24.0.0beta2","v24.0.0beta3","v24.0.0rc1","v25.0.0beta1","v25.0.0beta2","v25.0.0beta3","v25.0.0beta4","v25.0.0beta5","v25.0.0beta6","v25.0.0beta7","v26.0.0-alpha.2","v26.0.0-alpha.6","v26.0.0-alpha.7","v26.0.0-alpha.8","v26.0.0beta1","v26.0.0beta2","v26.0.0beta3","v26.0.0beta4","v26.0.0beta5","v26.0.0rc1","v27.0.0beta1","v27.0.0beta2","v27.0.0rc1","v28.0.0","v28.0.0beta1","v28.0.0beta2","v28.0.0beta3","v28.0.0beta4","v28.0.1","v28.0.10","v28.0.10rc1","v28.0.11rc1","v28.0.1rc1","v28.0.2","v28.0.2rc1","v28.0.2rc2","v28.0.2rc3","v28.0.2rc4","v28.0.2rc5","v28.0.3","v28.0.3rc1","v28.0.3rc2","v28.0.4","v28.0.4rc1","v28.0.5","v28.0.5rc1","v28.0.6","v28.0.6rc1","v28.0.7","v28.0.7rc1","v28.0.7rc2","v28.0.7rc3","v28.0.7rc4","v28.0.8","v28.0.8rc1","v28.0.9","v28.0.9rc1","v29.0.0","v29.0.0beta1","v29.0.0beta2","v29.0.0beta3","v29.0.0beta4","v29.0.0beta5","v29.0.0beta6","v29.0.0rc1","v29.0.1","v29.0.1rc1","v29.0.2","v29.0.2rc1","v29.0.2rc2","v29.0.3","v29.0.3rc1","v29.0.3rc2","v29.0.3rc3","v29.0.3rc4","v29.0.4","v29.0.4rc1","v29.0.5","v29.0.5rc1","v29.0.6","v29.0.6rc1","v29.0.7","v29.0.7rc1","v29.0.8rc1","v30.0.0","v30.0.0beta1","v30.0.0beta2","v30.0.0beta3","v30.0.0beta4","v30.0.0beta5","v30.0.1rc1","v30.0.1rc2"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"25.0.0"},{"fixed":"25.0.13.13"}]},{"events":[{"introduced":"26.0.0"},{"fixed":"26.0.13.9"}]},{"events":[{"introduced":"27.0.0"},{"fixed":"27.1.11.9"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52513.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N"}]}