{"id":"CVE-2024-52508","summary":"Nextcloud Mail auto configurator can be tricked into sending account information to wrong servers","details":"Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like user@example.tld that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.","aliases":["GHSA-vmhx-hwph-q6mc"],"modified":"2026-04-10T05:15:07.760479Z","published":"2024-11-15T17:34:21.900Z","database_specific":{"cwe_ids":["CWE-200"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52508.json"},"references":[{"type":"WEB","url":"https://hackerone.com/reports/2508422"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/52xxx/CVE-2024-52508.json"},{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vmhx-hwph-q6mc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52508"},{"type":"FIX","url":"https://github.com/nextcloud/mail/commit/a84c70e15d814dab6f0e8eda71bbaaf48152079b"},{"type":"FIX","url":"https://github.com/nextcloud/mail/pull/9964"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/mail","events":[{"introduced":"f1c4d938cee68c8976393a566a10e21b4098f536"},{"fixed":"a69d8295933c54cf98f55842d0a60b7cc1f1bc3e"}],"database_specific":{"versions":[{"introduced":"1.9.0"},{"fixed":"1.14.6"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/mail","events":[{"introduced":"9eb32f249939ca5783c109a13ccb0d3a261744cb"},{"fixed":"341688b4ce07d3ac0823899ede403ca12e52f94a"}],"database_specific":{"versions":[{"introduced":"2.1.0"},{"fixed":"2.2.11"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/mail","events":[{"introduced":"0"},{"fixed":"2766ae05a7f3a82977f04414c3150dafd9eafa9c"}],"database_specific":{"versions":[{"introduced":"3.1.0"},{"fixed":"3.6.3"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/mail","events":[{"introduced":"778e748e37109149f8168a6cbbd1c3366594ff1b"},{"fixed":"8480cb6b26bce880d0706dc62e9feaf9f68df2b7"}],"database_specific":{"versions":[{"introduced":"1.15.0"},{"fixed":"1.15.4"}]}},{"type":"GIT","repo":"https://github.com/nextcloud/mail","events":[{"introduced":"d12ce32074a72e61723e9e56793ba4d0d3e41981"},{"fixed":"ec37b464ab9b22d0c882bb6646772c20210c6327"}],"database_specific":{"versions":[{"introduced":"3.7.0"},{"fixed":"3.7.7"}]}}],"versions":["1.10.0-alpha.7","1.6.2","nighly-20170831","nightly-20161202","nightly-20161208","nightly-20161218","nightly-20170117","nightly-20170612","nightly-20170823","nightly-20170831","nightly-20170906","nightly-20170913","nightly-20171127","nightly-20171212","nightly-20180410","nightly-20200115","nightly-20200423","nightly-20200427","nightly-20200506","nightly-20200513","untagged-bd8a3cab1eb0022ec683","v0.1.0","v0.1.3","v0.10.0","v0.11.0","v0.12.0","v0.12.0-RC2","v0.12.0-RC3","v0.12.0-alpha3","v0.12.0-beta1","v0.12.0-beta2","v0.12.0-beta4","v0.12.0-beta5","v0.13.0","v0.14.0","v0.15.0","v0.15.1","v0.15.2","v0.15.3","v0.15.4","v0.15.5","v0.16.0","v0.17.0","v0.18.0","v0.18.0-RC1","v0.18.1","v0.19.0","v0.19.1","v0.2.0","v0.20.0","v0.20.1","v0.20.2","v0.20.3","v0.21.0","v0.21.1","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.4.3","v0.4.4","v0.5.0","v0.5.1","v0.5.2","v0.6.2","v0.7.0","v0.7.1","v0.7.10","v0.7.2","v0.7.3","v0.7.4","v0.7.5","v0.7.6","v0.7.7","v0.7.8","v0.7.9","v0.8.0","v0.8.0-alpha1","v0.8.0-beta1","v0.8.1","v0.8.2","v0.8.3","v0.9.0","v1.0.0","v1.1.0","v1.1.1","v1.1.2","v1.10.0-RC.1","v1.10.0-alpha.4","v1.10.0-alpha.6","v1.10.0-alpha.7","v1.11.0","v1.11.0-rc1","v1.12.0-rc.1","v1.13.0-beta1","v1.13.0-beta3","v1.14.0","v1.14.0-alpha4","v1.14.0-beta1","v1.14.0-beta2","v1.14.0-beta3","v1.14.0-rc.1","v1.14.0-rc.2","v1.14.1","v1.14.2","v1.14.3","v1.14.3.alpha.1","v1.14.4","v1.14.5","v1.15.0","v1.15.1","v1.15.2","v1.15.3","v1.3.0","v1.3.0-RC1","v1.3.0-beta1","v1.3.0-beta2","v1.3.0-beta3","v1.3.1","v1.3.2","v1.3.3","v1.4.0-beta1","v1.4.0-beta2","v1.4.0-rc1","v1.5.0","v1.5.0-alpha3","v1.5.0-beta1","v1.5.0-beta2","v1.5.0-beta3","v1.5.0-rc1","v1.5.0-rc2","v1.6.0","v1.7.0","v1.8.0","v1.9.0","v1.9.0-alpha2","v1.9.0-alpha3","v2.0.0-RC1","v2.0.0-beta.5","v2.0.0-beta.6","v2.0.0-beta.7","v2.0.0-beta1","v2.0.0-beta3","v2.0.0-beta4","v2.1.0-rc1","v2.3.0-alpha.4","v3.0.0-alpha.1","v3.0.0-beta.2","v3.2.0-alpha.1","v3.2.0-alpha.2","v3.2.0-beta.1","v3.2.0-beta.2","v3.2.0-rc.1","v3.3.0-alpha.1","v3.4.0-alpha.3","v3.4.0-beta.1","v3.4.0-beta.2","v3.4.0-beta.3","v3.4.0-beta.4","v3.4.0-rc.1","v3.5.0-beta1","v3.5.0-beta2","v3.5.0-beta3","v3.6.0","v3.6.0-beta1","v3.6.0-beta2","v3.6.0-beta3","v3.6.0-rc1","v3.6.0-rc2","v3.6.0-rc3","v3.6.1","v3.6.2","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.7.5","v3.7.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-52508.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"}]}