Bug 2151124 (CVE-2022-39333)

Summary: CVE-2022-39333 nextcloud-client: XSS in Desktop Client in call notification popup
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-client 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151131, 2151135    
Bug Blocks: 2148826    

Description TEJ RATHI 2022-12-06 08:13:13 UTC 
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.

https://github.com/nextcloud/desktop/pull/4972
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8
https://hackerone.com/reports/1711847
Comment 1 TEJ RATHI 2022-12-06 08:21:50 UTC 
Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2151131]
Affects: fedora-35 [bug 2151135]