2151126 – (CVE-2022-39331) CVE-2022-39331 nextcloud-client: XSS in Desktop Client in the notifications

Bug 2151126 (CVE-2022-39331) - CVE-2022-39331 nextcloud-client: XSS in Desktop Client in the notifications

Summary: CVE-2022-39331 nextcloud-client: XSS in Desktop Client in the notifications

Keywords:
Status:	NEW
Alias:	CVE-2022-39331
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2151129 2151132
Blocks:	2148826
TreeView+	depends on / blocked

Reported:	2022-12-06 08:13 UTC by TEJ RATHI
Modified:	2023-07-07 08:28 UTC (History)
CC List:	0 users
Fixed In Version:	nextcloud-client 3.6.1
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2022-12-06 08:13:13 UTC

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.

https://github.com/nextcloud/desktop/pull/4944
https://hackerone.com/reports/1668028
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5

Comment 1 TEJ RATHI 2022-12-06 08:21:46 UTC

Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2151129]
Affects: fedora-35 [bug 2151132]

Note You need to log in before you can comment on or make changes to this bug.