{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52509", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-11T18:49:23.558Z", "datePublished": "2024-11-15T17:37:47.035Z", "dateUpdated": "2024-11-15T18:11:49.618Z"}, "containers": {"cna": {"title": "Nextcloud Mail app does not respect download permissions in shares", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862"}, {"name": "https://github.com/nextcloud/mail/pull/9592", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/mail/pull/9592"}, {"name": "https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b"}, {"name": "https://hackerone.com/reports/1878255", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1878255"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": ">=2.2.0, < 2.2.10", "status": "affected"}, {"version": ">= 3.6.0, < 3.6.2", "status": "affected"}, {"version": ">= 3.7.0, < 3.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T17:37:47.035Z"}, "descriptions": [{"lang": "en", "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2."}], "source": {"advisory": "GHSA-pwpp-fvcr-w862", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-15T18:11:39.753390Z", "id": "CVE-2024-52509", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T18:11:49.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52509", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-15T18:11:39.753390Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T18:11:44.229Z"}}], "cna": {"title": "Nextcloud Mail app does not respect download permissions in shares", "source": {"advisory": "GHSA-pwpp-fvcr-w862", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"status": "affected", "version": ">=2.2.0, < 2.2.10"}, {"status": "affected", "version": ">= 3.6.0, < 3.6.2"}, {"status": "affected", "version": ">= 3.7.0, < 3.7.2"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextcloud/mail/pull/9592", "name": "https://github.com/nextcloud/mail/pull/9592", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b", "name": "https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/1878255", "name": "https://hackerone.com/reports/1878255", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T17:37:47.035Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52509", "state": "PUBLISHED", "dateUpdated": "2024-11-15T18:11:49.618Z", "dateReserved": "2024-11-11T18:49:23.558Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-15T17:37:47.035Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*", "matchCriteriaId": "71F48C3B-3F91-4021-8B87-EE525B3CC0B3", "versionEndExcluding": "2.2.10", "versionStartIncluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*", "matchCriteriaId": "F22F1BBB-07B8-4621-8566-E838716EAF46", "versionEndExcluding": "3.6.2", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*", "matchCriteriaId": "5E0F8673-71CA-4016-A13C-49D4E6DE6530", "versionEndExcluding": "3.7.2", "versionStartIncluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2."}, {"lang": "es", "value": "Nextcloud Mail es la aplicaci\u00f3n de correo de Nextcloud, una plataforma de productividad alojada en servidores propios. La aplicaci\u00f3n de correo de Nextcloud permit\u00eda por error adjuntar archivos compartidos sin permisos de descarga como archivos adjuntos. Esto permit\u00eda a los usuarios enviarse los archivos a s\u00ed mismos y luego descargarlos desde sus clientes de correo. Se recomienda actualizar Nextcloud Mail a la versi\u00f3n 2.2.10, 3.6.2 o 3.7.2."}], "id": "CVE-2024-52509", "lastModified": "2025-09-04T23:55:37.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-15T18:15:29.280", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextcloud/mail/commit/8d44f1ce44684022aa4e62a3e0462fdadcde6c8b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextcloud/mail/pull/9592"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwpp-fvcr-w862"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://hackerone.com/reports/1878255"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}