CVE-2024-52508

Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers

Description

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.

Category

8.2
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.13%
Affected: nextcloud security-advisories
Published at:
Updated at:

References

Link Tags
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc
https://github.com/nextcloud/mail/pull/9964
https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b
https://hackerone.com/reports/2508422

Frequently Asked Questions

What is the severity of CVE-2024-52508?
CVE-2024-52508 has been scored as a high severity vulnerability.
How to fix CVE-2024-52508?
To fix CVE-2024-52508, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-52508 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-52508 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-52508?
CVE-2024-52508 affects nextcloud security-advisories.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.