CVE-2021-37617

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the Uninstall.exe file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious Uninstall.exe, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the C:\ system folder and verify that there is no malicious C:\Uninstall.exe file on the system.