PT-2023-19313 · Nextcloud+2 · Nextcloud Desktop Client+2

Matuhn

Publicado

2023-02-06

Atualizado

2023-08-30

CVE-2023-23942

CVSS v3.1

6.1

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Desktop Client versions prior to 3.6.3

Description The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. It is missing sanitisation on qml labels used for basic HTML elements such as strong, em, and head lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection.

Recommendations For versions prior to 3.6.3, upgrade to version 3.6.3 to resolve the issue. As a temporary workaround, consider restricting the use of qml labels in the desktop client until a patch is available. However, since there are no known workarounds for this issue, upgrading to the recommended version is the best course of action.

Exploit

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

ALT-PU-2023-2019

ALT-PU-2023-4584

ALT-PU-2023-5197

CVE-2023-23942

GHSA-64QC-VF6V-8XGG

OPENSUSE-SU-2023:0090-1

OPENSUSE-SU-2023:0171-1

Produtos afetados

Alt Linux

Debian

Nextcloud Desktop Client

PT-2023-19313 · Nextcloud+2 · Nextcloud Desktop Client+2

CVE-2023-23942

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 27