CVE-2022-39331

2022-11-2519:15:11

Debian Security Bug Tracker

security-tracker.debian.org

nextcloud

desktop sync client

html injection

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

26.4%

JSON

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
Debian12allnextcloud-desktop< 3.6.1-1nextcloud-desktop_3.6.1-1_all.deb
Debian11allnextcloud-desktop<= 3.1.1-2+deb11u1nextcloud-desktop_3.1.1-2+deb11u1_all.deb
Debian999allnextcloud-desktop< 3.6.1-1nextcloud-desktop_3.6.1-1_all.deb
Debian13allnextcloud-desktop< 3.6.1-1nextcloud-desktop_3.6.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nextcloud-desktop	< 3.6.1-1	nextcloud-desktop_3.6.1-1_all.deb
Debian	11	all	nextcloud-desktop	<= 3.1.1-2+deb11u1	nextcloud-desktop_3.1.1-2+deb11u1_all.deb
Debian	999	all	nextcloud-desktop	< 3.6.1-1	nextcloud-desktop_3.6.1-1_all.deb
Debian	13	all	nextcloud-desktop	< 3.6.1-1	nextcloud-desktop_3.6.1-1_all.deb