CVSS: 6.6EPSS: 1%CPEs: 1EXPL: 1CVE-2025-23040 – Maliciously crafted remote URLs could lead to credential leak in GitHub Desktop
https://notcve.org/view.php?id=CVE-2025-23040
15 Jan 2025 — GitHub Desktop is an open-source Electron-based GitHub app designed for git development. An attacker convincing a user to clone a repository directly or through a submodule can allow the attacker access to the user's credentials through the use of maliciously crafted remote URL. GitHub Desktop relies on Git to perform all network related operations (such as cloning, fetching, and pushing). When a user attempts to clone a repository GitHub Desktop will invoke `git clone` and when Git encounters a remote whic... • https://github.com/GabrieleDattile/CVE-2025-23040 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31647
https://notcve.org/view.php?id=CVE-2022-31647
27 Apr 2023 — Docker Desktop before 4.6.0 on Windows allows attackers to delete any file through the hyperv/destroy dockerBackendV2 API via a symlink in the DataFolder parameter, a different vulnerability than CVE-2022-26659. • https://docs.docker.com/desktop/release-notes/#docker-desktop-460 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34292
https://notcve.org/view.php?id=CVE-2022-34292
27 Apr 2023 — Docker Desktop for Windows before 4.6.0 allows attackers to overwrite any file through a symlink attack on the hyperv/create dockerBackendV2 API by controlling the DataFolder parameter for DockerDesktop.vhdx, a similar issue to CVE-2022-31647. • https://docs.docker.com/desktop/release-notes/#docker-desktop-460 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-38730
https://notcve.org/view.php?id=CVE-2022-38730
27 Apr 2023 — Docker Desktop for Windows before 4.6 allows attackers to overwrite any file through the windowscontainers/start dockerBackendV2 API by controlling the data-root field inside the DaemonJSON field in the WindowsContainerStartRequest class. This allows exploiting a symlink vulnerability in ..\dataRoot\network\files\local-kv.db because of a TOCTOU race condition. • https://docs.docker.com/desktop/release-notes/#docker-desktop-460 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-37326
https://notcve.org/view.php?id=CVE-2022-37326
27 Apr 2023 — Docker Desktop for Windows before 4.6.0 allows attackers to delete (or create) any file through the dockerBackendV2 windowscontainers/start API by controlling the pidfile field inside the DaemonJSON field in the WindowsContainerStartRequest class. This can indirectly lead to privilege escalation. • https://docs.docker.com/desktop/release-notes/#docker-desktop-460 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23942 – Self reflected HTML injection in Desktop client
https://notcve.org/view.php?id=CVE-2023-23942
06 Feb 2023 — The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. • https://github.com/nextcloud/desktop/pull/5233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39334 – nextcloudcmd incorrectly trusts bad TLS certificates
https://notcve.org/view.php?id=CVE-2022-39334
25 Nov 2022 — Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Nextcloud también incluye una utilidad CLI llamada n... • https://github.com/nextcloud/desktop/issues/4927 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39331 – Cross-site Scripting (XSS) in Nexcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39331
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39332 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39332
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39333 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39333
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •