Lucene search

Ubuntu.comUB:CVE-2023-23942

HistoryFeb 06, 2023 - 12:00 a.m.

CVE-2023-23942

2023-02-0600:00:00

ubuntu.com

nextcloud desktop client

qml labels

html elements

javascript injection

upgrade

security issue

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.8%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from a
Nextcloud Server with your computer. Versions prior to 3.6.3 are missing
sanitisation on qml labels which are used for basic HTML elements such as
strong, em and head lines in the UI of the desktop client. The lack
of sanitisation may allow for javascript injection. It is recommended that
the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known
workarounds for this issue.

OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchnextcloud-desktop< anyUNKNOWN
ubuntu22.04noarchnextcloud-desktop< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	20.04	noarch	nextcloud-desktop	< any	UNKNOWN
ubuntu	22.04	noarch	nextcloud-desktop	< any	UNKNOWN

References

github.com/nextcloud/desktop/pull/5233

github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg

hackerone.com/reports/1788598

launchpad.net/bugs/cve/CVE-2023-23942

nvd.nist.gov/vuln/detail/CVE-2023-23942

security-tracker.debian.org/tracker/CVE-2023-23942

www.cve.org/CVERecord?id=CVE-2023-23942

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

38.8%

JSON

Related for UB:CVE-2023-23942