CVE-2024-52520
- Source
- https://cve.org/CVERecord?id=CVE-2024-52520
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52520.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-52520
- Aliases
-
- GHSA-pxqf-cfxw-mqmj
- Published
- 2024-11-15T16:41:42.412Z
- Modified
- 2025-12-05T07:20:44.743980Z
- Severity
-
- 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Nextcloud Server's link reference provider can be tricked into downloading bigger files than intended
- Details
-
Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7.
- Database specific
{ "cwe_ids": [ "CWE-400" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52520.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52520.json
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pxqf-cfxw-mqmj
- https://github.com/nextcloud/server/commit/873c42b0f1383d5b6f2b7a481e1d9620ed30f44a
- https://github.com/nextcloud/server/pull/47627
- https://nvd.nist.gov/vuln/detail/CVE-2024-52520
Affected packages
Git / github.com/nextcloud/server
Affected ranges
Affected versions
v28.*
v28.0.0
v28.0.1
v28.0.10rc1
v28.0.1rc1
v28.0.2
v28.0.2rc1
v28.0.2rc2
v28.0.2rc3
v28.0.2rc4
v28.0.2rc5
v28.0.3
v28.0.3rc1
v28.0.3rc2
v28.0.4
v28.0.4rc1
v28.0.5
v28.0.5rc1
v28.0.6
v28.0.6rc1
v28.0.7
v28.0.7rc1
v28.0.7rc2
v28.0.7rc3
v28.0.7rc4
v28.0.8
v28.0.8rc1
v28.0.9
v28.0.9rc1
v29.*
v29.0.0
v29.0.1
v29.0.1rc1
v29.0.2
v29.0.2rc1
v29.0.2rc2
v29.0.3
v29.0.3rc1
v29.0.3rc2
v29.0.3rc3
v29.0.3rc4
v29.0.4
v29.0.4rc1
v29.0.5
v29.0.5rc1
v29.0.6
v29.0.6rc1
v29.0.7rc1