Bug 2151126 (CVE-2022-39331)

Summary: CVE-2022-39331 nextcloud-client: XSS in Desktop Client in the notifications
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-client 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151129, 2151132    
Bug Blocks: 2148826    

Description TEJ RATHI 2022-12-06 08:13:13 UTC 
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.

https://github.com/nextcloud/desktop/pull/4944
https://hackerone.com/reports/1668028
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5
Comment 1 TEJ RATHI 2022-12-06 08:21:46 UTC 
Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2151129]
Affects: fedora-35 [bug 2151132]