Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-33182

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4

Published

2023-05-30T05:15:11.957

Last Modified

2024-11-21T08:05:04.093

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 0.0 (NONE)

Weaknesses

Type: Secondary
CWE-20
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	contacts	< 4.2.4	Yes
Application	nextcloud	contacts	< 5.0.3	Yes

References

https://github.com/nextcloud/contacts/pull/3199 Patch ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx Vendor Advisory ([email protected])
https://hackerone.com/reports/1789602 Permissions Required ([email protected])
https://github.com/nextcloud/contacts/pull/3199 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1789602 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)