Bug 2151125 (CVE-2022-39332)

Summary: CVE-2022-39332 nextcloud-client: XSS in Desktop Client via user status and information
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-client 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151130, 2151134    
Bug Blocks: 2148826    

Description TEJ RATHI 2022-12-06 08:13:13 UTC 
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.

https://github.com/nextcloud/desktop/pull/4972
https://hackerone.com/reports/1707977
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p
Comment 1 TEJ RATHI 2022-12-06 08:21:49 UTC 
Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2151130]
Affects: fedora-35 [bug 2151134]