PT-2023-24199 · Nextcloud · Nextcloud Contacts

Christophwurst

Publicado

2023-05-30

Atualizado

2023-06-06

CVE-2023-33182

CVSS v3.1

0.0

Nenhuma

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Contacts app versions prior to 4.2.4 Nextcloud Contacts app versions prior to 5.0.3

Description The issue concerns the handling of unsanitized SVG files in the Contacts app for Nextcloud. These files are converted into JavaScript blobs, which the Avatar component cannot render. Although the missing sanitization is present, it does not seem to be exploitable due to this specific implementation.

Recommendations For versions prior to 4.2.4, upgrade to version 4.2.4. For versions prior to 5.0.3, upgrade to version 5.0.3.

Exploit

Correção

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-20

Identificadores relacionados

CVE-2023-33182

GHSA-HXR6-CX85-GCJX

Produtos afetados

Nextcloud Contacts

PT-2023-24199 · Nextcloud · Nextcloud Contacts

CVE-2023-33182

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6