CVE-2024-37885: 
Nextcloud Desktop Client vulnerability analysis and mitigation

A code injection vulnerability (CVE-2024-37885) was discovered in the Nextcloud Desktop Client for macOS. The vulnerability was disclosed on June 14, 2024, affecting versions prior to 3.12.0. The issue allows attackers to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment (Nextcloud Advisory).

The vulnerability is classified as a code injection (CWE-94) with a CVSS v3.1 base score of 3.8 (LOW) according to GitHub's assessment, while NIST rates it at 7.8 (HIGH) with a vector string of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The attack requires local access and involves manipulation of the DYLD_INSERT_LIBRARIES environment variable to load arbitrary code during client startup (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with the privileges of the Nextcloud Desktop Client. The impact affects confidentiality, integrity, and availability of the system, with potential for unauthorized data access and system manipulation (Nextcloud Advisory).

The vulnerability has been patched in Nextcloud Desktop Client version 3.12.0. Users are strongly recommended to upgrade to this version as no alternative workarounds are available (Nextcloud Advisory).