First Last Prev Next    This bug is not in your last search results.
Bug 1205798 - (CVE-2022-39331) VUL-0: CVE-2022-39331: nextcloud-desktop: Arbitrary HyperText Markup Language injection in notifications
(CVE-2022-39331)
VUL-0: CVE-2022-39331: nextcloud-desktop: Arbitrary HyperText Markup Language...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/348954/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-28 08:09 UTC by Hu
Modified: 2022-11-28 08:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-11-28 08:09:22 UTC 
CVE-2022-39331

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can
inject arbitrary HyperText Markup Language into the Desktop Client application
in the notifications. It is recommended that the Nextcloud Desktop client is
upgraded to 3.6.1. There are no known workarounds for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39331
https://www.cve.org/CVERecord?id=CVE-2022-39331
https://github.com/nextcloud/desktop/pull/4944
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5
http://www.cvedetails.com/cve/CVE-2022-39331/
https://hackerone.com/reports/1668028
Comment 1 Hu 2022-11-28 08:09:50 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP3/nextcloud-desktop  3.1.3 
- openSUSE:Backports:SLE-15-SP4/nextcloud-desktop  3.3.6 

Not Affected:
- openSUSE:Factory/nextcloud-desktop               3.6.2
First Last Prev Next    This bug is not in your last search results.