CVE-2023-23942

2023-02-0621:15:09

Alpine Linux Development Team

security.alpinelinux.org

nextcloud desktop client

sanitisation

javascript injection

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

0.001

Percentile

38.8%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as strong, em and head lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchnextcloud-client< 3.6.6-r0UNKNOWN
Alpine3.18-communitynoarchnextcloud-client< 3.6.6-r0UNKNOWN
Alpine3.19-communitynoarchnextcloud-client< 3.6.6-r0UNKNOWN
Alpine3.20-communitynoarchnextcloud-client< 3.6.6-r0UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	nextcloud-client	< 3.6.6-r0	UNKNOWN
Alpine	3.18-community	noarch	nextcloud-client	< 3.6.6-r0	UNKNOWN
Alpine	3.19-community	noarch	nextcloud-client	< 3.6.6-r0	UNKNOWN
Alpine	3.20-community	noarch	nextcloud-client	< 3.6.6-r0	UNKNOWN