CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28124
https://notcve.org/view.php?id=CVE-2023-28124
19 Apr 2023 — Improper usage of symmetric encryption in UI Desktop for Windows (Version 0.59.1.71 and earlier) could allow users with access to UI Desktop configuration files to decrypt their content.This vulnerability is fixed in Version 0.62.3 and later. • https://community.ui.com/releases/Security-Advisory-Bulletin-029-029/a47c68f2-1f3a-47c3-b577-eb70599644e4 • CWE-326: Inadequate Encryption Strength •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-1802 – In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed
https://notcve.org/view.php?id=CVE-2023-1802
06 Apr 2023 — In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected. In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted net... • https://docs.docker.com/desktop/release-notes/#4180 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29000 – Nextcloud Desktop client does not verify received singed certificate in end-to-end encryption
https://notcve.org/view.php?id=CVE-2023-29000
04 Apr 2023 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available. • https://github.com/nextcloud/desktop/pull/4949 • CWE-295: Improper Certificate Validation •
CVSS: 8.0EPSS: 0%CPEs: 3EXPL: 1CVE-2023-28999 – Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders
https://notcve.org/view.php?id=CVE-2023-28999
04 Apr 2023 — Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files. This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf • CWE-311: Missing Encryption of Sensitive Data CWE-325: Missing Cryptographic Step •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28998 – Nextcloud Desktop client misbehaves with E2EE when the server returns empty list of metadata keys
https://notcve.org/view.php?id=CVE-2023-28998
04 Apr 2023 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf • CWE-325: Missing Cryptographic Step •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28997 – Nextcloud Desktop: Initialization vector reuse in E2EE allows malicious server admin to break, manipulate, access files
https://notcve.org/view.php?id=CVE-2023-28997
04 Apr 2023 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf • CWE-323: Reusing a Nonce, Key Pair in Encryption •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23942 – Self reflected HTML injection in Desktop client
https://notcve.org/view.php?id=CVE-2023-23942
06 Feb 2023 — The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. • https://github.com/nextcloud/desktop/pull/5233 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22472 – Nextcloud Deck Desktop Client is vulnerable to Cross-Site Request Forgery (CSRF) via malicious link
https://notcve.org/view.php?id=CVE-2023-22472
09 Jan 2023 — Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. • https://github.com/nextcloud/desktop/pull/5106 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39332 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39332
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-39333 – Cross-site scripting (XSS) in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2022-39333
25 Nov 2022 — Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •