CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22472 – Nextcloud Deck Desktop Client is vulnerable to Cross-Site Request Forgery (CSRF) via malicious link
https://notcve.org/view.php?id=CVE-2023-22472
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. • https://github.com/nextcloud/desktop/pull/5106 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gfv-xqpx-42qj • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39332 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39332
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p https://hackerone.com/reports/1707977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39331 – Cross-site Scripting (XSS) in Nexcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39331
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 https://hackerone.com/reports/1668028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39334 – nextcloudcmd incorrectly trusts bad TLS certificates
https://notcve.org/view.php?id=CVE-2022-39334
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Nextcloud también incluye una utilidad CLI llamada nextcloudcmd que a veces se utiliza para scripts automatizados y servidores headless. • https://github.com/nextcloud/desktop/issues/4927 https://github.com/nextcloud/desktop/pull/5022 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv https://hackerone.com/reports/1699740 • CWE-295: Improper Certificate Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39333 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39333
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8 https://hackerone.com/reports/1711847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •