2151124 – (CVE-2022-39333) CVE-2022-39333 nextcloud-client: XSS in Desktop Client in call notification popup

Bug 2151124 (CVE-2022-39333) - CVE-2022-39333 nextcloud-client: XSS in Desktop Client in call notification popup

Summary: CVE-2022-39333 nextcloud-client: XSS in Desktop Client in call notification p...

Keywords:
Status:	NEW
Alias:	CVE-2022-39333
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2151131 2151135
Blocks:	2148826
TreeView+	depends on / blocked

Reported:	2022-12-06 08:13 UTC by TEJ RATHI
Modified:	2023-07-07 08:34 UTC (History)
CC List:	0 users
Fixed In Version:	nextcloud-client 3.6.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2022-12-06 08:13:13 UTC

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.

https://github.com/nextcloud/desktop/pull/4972
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8
https://hackerone.com/reports/1711847

Comment 1 TEJ RATHI 2022-12-06 08:21:50 UTC

Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2151131]
Affects: fedora-35 [bug 2151135]

Note You need to log in before you can comment on or make changes to this bug.