CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22472 – Nextcloud Deck Desktop Client is vulnerable to Cross-Site Request Forgery (CSRF) via malicious link
https://notcve.org/view.php?id=CVE-2023-22472
09 Jan 2023 — Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. • https://github.com/nextcloud/desktop/pull/5106 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39332 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39332
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39334 – nextcloudcmd incorrectly trusts bad TLS certificates
https://notcve.org/view.php?id=CVE-2022-39334
25 Nov 2022 — Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Nextcloud también incluye una utilidad CLI llamada n... • https://github.com/nextcloud/desktop/issues/4927 • CWE-295: Improper Certificate Validation •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39331 – Cross-site Scripting (XSS) in Nexcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39331
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39333 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39333
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-41882 – Nextcloud Desktop vulnerable to code injection via malicious link
https://notcve.org/view.php?id=CVE-2022-41882
11 Nov 2022 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. A... • https://github.com/nextcloud/desktop/pull/5039 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24038
https://notcve.org/view.php?id=CVE-2021-24038
18 Aug 2021 — Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation. This issue affects Oculus Desktop versions after 1.39 and prior to 31.1.0.67.507. Debido a un bug en la administración de los manejadores en el archivo OVRServiceLauncher.exe, un atacante podría exponer un manejador de proceso privilegiado a un proceso no privilegiado, conllevando a una escalada de privilegios local. Este p... • https://www.facebook.com/security/advisories/cve-2021-24038 • CWE-269: Improper Privilege Management •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37617 – Untrusted Search Path in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2021-37617
18 Aug 2021 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges o... • https://github.com/nextcloud/desktop/pull/3497 • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-32728 – End-to-end encryption device setup did not verify public key
https://notcve.org/view.php?id=CVE-2021-32728
18 Aug 2021 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This is... • https://github.com/nextcloud/desktop/pull/3338 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37841
https://notcve.org/view.php?id=CVE-2021-37841
12 Aug 2021 — Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. Docker Desktop versiones anteriores a 3.6.0, sufre de un control de acceso incorrecto. Si una cuenta poco privilegiada es capaz de a... • https://docs.docker.com/docker-for-windows/release-notes • CWE-732: Incorrect Permission Assignment for Critical Resource •