CVE-2024-52508

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-52508

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52508.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-52508

Aliases

GHSA-vmhx-hwph-q6mc

Published

2024-11-15T17:34:21.900Z

Modified

2026-04-10T05:15:07.760479Z

Severity

8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L CVSS Calculator

Summary

Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers

Details

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

Database specific

{
    "cwe_ids": [
        "CWE-200"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52508.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nextcloud/mail

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/mail

Events

Introduced

f1c4d938cee68c8976393a566a10e21b4098f536

Fixed

a69d8295933c54cf98f55842d0a60b7cc1f1bc3e

Database specific

{
    "versions": [
        {
            "introduced": "1.9.0"
        },
        {
            "fixed": "1.14.6"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/mail

Events

Introduced

9eb32f249939ca5783c109a13ccb0d3a261744cb

Fixed

341688b4ce07d3ac0823899ede403ca12e52f94a

Database specific

{
    "versions": [
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.2.11"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/mail

Events

Introduced

Fixed

2766ae05a7f3a82977f04414c3150dafd9eafa9c

Database specific

{
    "versions": [
        {
            "introduced": "3.1.0"
        },
        {
            "fixed": "3.6.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/mail

Events

Introduced

778e748e37109149f8168a6cbbd1c3366594ff1b

Fixed

8480cb6b26bce880d0706dc62e9feaf9f68df2b7

Database specific

{
    "versions": [
        {
            "introduced": "1.15.0"
        },
        {
            "fixed": "1.15.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/mail

Events

Introduced

d12ce32074a72e61723e9e56793ba4d0d3e41981

Fixed

ec37b464ab9b22d0c882bb6646772c20210c6327

Database specific

{
    "versions": [
        {
            "introduced": "3.7.0"
        },
        {
            "fixed": "3.7.7"
        }
    ]
}

Affected versions

1.*

1.10.0-alpha.7

1.6.2

Other

nighly-20170831

nightly-20161202

nightly-20161208

nightly-20161218

nightly-20170117

nightly-20170612

nightly-20170823

nightly-20170831

nightly-20170906

nightly-20170913

nightly-20171127

nightly-20171212

nightly-20180410

nightly-20200115

nightly-20200423

nightly-20200427

nightly-20200506

nightly-20200513

untagged-bd8a3cab1eb0022ec683

v0.*

v0.1.0

v0.1.3

v0.10.0

v0.11.0

v0.12.0

v0.12.0-RC2

v0.12.0-RC3

v0.12.0-alpha3

v0.12.0-beta1

v0.12.0-beta2

v0.12.0-beta4

v0.12.0-beta5

v0.13.0

v0.14.0

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.16.0

v0.17.0

v0.18.0

v0.18.0-RC1

v0.18.1

v0.19.0

v0.19.1

v0.2.0

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.21.1

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.5.0

v0.5.1

v0.5.2

v0.6.2

v0.7.0

v0.7.1

v0.7.10

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.8.0

v0.8.0-alpha1

v0.8.0-beta1

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.10.0-RC.1

v1.10.0-alpha.4

v1.10.0-alpha.6

v1.10.0-alpha.7

v1.11.0

v1.11.0-rc1

v1.12.0-rc.1

v1.13.0-beta1

v1.13.0-beta3

v1.14.0

v1.14.0-alpha4

v1.14.0-beta1

v1.14.0-beta2

v1.14.0-beta3

v1.14.0-rc.1

v1.14.0-rc.2

v1.14.1

v1.14.2

v1.14.3

v1.14.3.alpha.1

v1.14.4

v1.14.5

v1.15.0

v1.15.1

v1.15.2

v1.15.3

v1.3.0

v1.3.0-RC1

v1.3.0-beta1

v1.3.0-beta2

v1.3.0-beta3

v1.3.1

v1.3.2

v1.3.3

v1.4.0-beta1

v1.4.0-beta2

v1.4.0-rc1

v1.5.0

v1.5.0-alpha3

v1.5.0-beta1

v1.5.0-beta2

v1.5.0-beta3

v1.5.0-rc1

v1.5.0-rc2

v1.6.0

v1.7.0

v1.8.0

v1.9.0

v1.9.0-alpha2

v1.9.0-alpha3

v2.*

v2.0.0-RC1

v2.0.0-beta.5

v2.0.0-beta.6

v2.0.0-beta.7

v2.0.0-beta1

v2.0.0-beta3

v2.0.0-beta4

v2.1.0-rc1

v2.3.0-alpha.4

v3.*

v3.0.0-alpha.1

v3.0.0-beta.2

v3.2.0-alpha.1

v3.2.0-alpha.2

v3.2.0-beta.1

v3.2.0-beta.2

v3.2.0-rc.1

v3.3.0-alpha.1

v3.4.0-alpha.3

v3.4.0-beta.1

v3.4.0-beta.2

v3.4.0-beta.3

v3.4.0-beta.4

v3.4.0-rc.1

v3.5.0-beta1

v3.5.0-beta2

v3.5.0-beta3

v3.6.0

v3.6.0-beta1

v3.6.0-beta2

v3.6.0-beta3

v3.6.0-rc1

v3.6.0-rc2

v3.6.0-rc3

v3.6.1

v3.6.2

v3.7.0

v3.7.1

v3.7.2

v3.7.3

v3.7.4

v3.7.5

v3.7.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52508.json"