CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39334 – nextcloudcmd incorrectly trusts bad TLS certificates
https://notcve.org/view.php?id=CVE-2022-39334
25 Nov 2022 — Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Nextcloud también incluye una utilidad CLI llamada n... • https://github.com/nextcloud/desktop/issues/4927 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39331 – Cross-site Scripting (XSS) in Nexcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39331
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39333 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39333
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39332 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39332
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35257
https://notcve.org/view.php?id=CVE-2022-35257
23 Sep 2022 — A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM. Una vulnerabilidad de escalada de privilegios local en UI Desktop para Windows (versión 0.55.1.2 y anteriores) permite a un actor malicioso con acceso local a un dispositivo Windows con UI Desktop ejecutar comandos arbitrarios como SYSTEM. • https://community.ui.com/releases/Security-Advisory-Bulletin-025-025/7fc92851-054d-46d3-bdb0-fbb8f7023fed •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26877
https://notcve.org/view.php?id=CVE-2022-26877
09 Apr 2022 — Asana Desktop before 1.6.0 allows remote attackers to exfiltrate local files if they can trick the Asana desktop app into loading a malicious web page. Asana Desktop versiones anteriores a 1.6.0, permite a atacantes remotos exfiltrar archivos locales si consiguen engañar a la aplicación de escritorio Asana para que cargue una página web maliciosa • https://asana.com • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23597 – Remote program execution with user interaction
https://notcve.org/view.php?id=CVE-2022-23597
01 Feb 2022 — Element Desktop is a Matrix client for desktop platforms with Element Web at its core. Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction. The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild. If you are using Element Desktop < 1.9.7, we recommend upgrading at your earliest convenience. • https://github.com/vector-im/element-desktop/commit/89b1e39b801655e595337708d4319ba4313feafa • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-32728 – End-to-end encryption device setup did not verify public key
https://notcve.org/view.php?id=CVE-2021-32728
18 Aug 2021 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This is... • https://github.com/nextcloud/desktop/pull/3338 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37841
https://notcve.org/view.php?id=CVE-2021-37841
12 Aug 2021 — Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. Docker Desktop versiones anteriores a 3.6.0, sufre de un control de acceso incorrecto. Si una cuenta poco privilegiada es capaz de a... • https://docs.docker.com/docker-for-windows/release-notes • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 1CVE-2021-22895 – Debian Security Advisory 4974-1
https://notcve.org/view.php?id=CVE-2021-22895
11 Jun 2021 — Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. Nextcloud Desktop Client versiones anteriores a 3.3.1, es vulnerable a una comprobación inapropiada de certificados debido a una falta de comprobación de certificados SSL cuando se usa el flujo "Register with a Provider" Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosur... • https://github.com/nextcloud/desktop/pull/2926 • CWE-295: Improper Certificate Validation •