Exposure of Sensitive Information to an Unauthorized Actor

CVE-2024-52517

Medium

4.6/10

Summary

Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.

Attack Complexity: HIGH
Attack Vector: PHYSICAL
Integrity Impact: NONE
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-200 - Information Exposure

An information exposure vulnerability is categorized as an information flow (IF) weakness, which can potentially allow unauthorized access to otherwise classified information in the application, such as confidential personal information (demographics, financials, health records, etc.), business secrets, and the application's internal environment.

References

Advisory Timeline

Published Nov 15, 2024

Exposure of Sensitive Information to an Unauthorized Actor

CVE-2024-52517

Summary

CWE-200 - Information Exposure

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS