Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-23942

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.

Published

2023-02-06T21:15:09.727

Last Modified

2024-11-21T07:47:09.017

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	desktop	< 3.6.3	Yes

References

https://github.com/nextcloud/desktop/pull/5233 Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg Vendor Advisory ([email protected])
https://hackerone.com/reports/1788598 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nextcloud/desktop/pull/5233 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1788598 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)