CVE-2023-23942Cross-site Scripting in Security-advisories

CWE-79Cross-site Scripting4 documents4 sources
Severity
6.1MEDIUMNVD
CNA5.4
EPSS
1.3%
top 20.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Desktop
Timeline
PublishedFeb 6

Description

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDnextcloud/desktop< 3.6.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
CVE-2023-23942: The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer2023-02-06
CVEList
Self reflected HTML injection in Desktop client2023-02-06

📋Vendor Advisories

1
Debian
CVE-2023-23942: nextcloud-desktop - The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Ser...2023
CVE-2023-23942 — Cross-site Scripting | cvebase