CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-35257
https://notcve.org/view.php?id=CVE-2022-35257
23 Sep 2022 — A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM. Una vulnerabilidad de escalada de privilegios local en UI Desktop para Windows (versión 0.55.1.2 y anteriores) permite a un actor malicioso con acceso local a un dispositivo Windows con UI Desktop ejecutar comandos arbitrarios como SYSTEM. • https://community.ui.com/releases/Security-Advisory-Bulletin-025-025/7fc92851-054d-46d3-bdb0-fbb8f7023fed •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26877
https://notcve.org/view.php?id=CVE-2022-26877
09 Apr 2022 — Asana Desktop before 1.6.0 allows remote attackers to exfiltrate local files if they can trick the Asana desktop app into loading a malicious web page. Asana Desktop versiones anteriores a 1.6.0, permite a atacantes remotos exfiltrar archivos locales si consiguen engañar a la aplicación de escritorio Asana para que cargue una página web maliciosa • https://asana.com • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23597 – Remote program execution with user interaction
https://notcve.org/view.php?id=CVE-2022-23597
01 Feb 2022 — Element Desktop is a Matrix client for desktop platforms with Element Web at its core. Element Desktop before 1.9.7 is vulnerable to a remote program execution bug with user interaction. The exploit is non-trivial and requires clicking on a malicious link, followed by another button click. To the best of our knowledge, the vulnerability has never been exploited in the wild. If you are using Element Desktop < 1.9.7, we recommend upgrading at your earliest convenience. • https://github.com/vector-im/element-desktop/commit/89b1e39b801655e595337708d4319ba4313feafa • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24038
https://notcve.org/view.php?id=CVE-2021-24038
18 Aug 2021 — Due to a bug with management of handles in OVRServiceLauncher.exe, an attacker could expose a privileged process handle to an unprivileged process, leading to local privilege escalation. This issue affects Oculus Desktop versions after 1.39 and prior to 31.1.0.67.507. Debido a un bug en la administración de los manejadores en el archivo OVRServiceLauncher.exe, un atacante podría exponer un manejador de proceso privilegiado a un proceso no privilegiado, conllevando a una escalada de privilegios local. Este p... • https://www.facebook.com/security/advisories/cve-2021-24038 • CWE-269: Improper Privilege Management •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37617 – Untrusted Search Path in Nextcloud Desktop Client
https://notcve.org/view.php?id=CVE-2021-37617
18 Aug 2021 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges o... • https://github.com/nextcloud/desktop/pull/3497 • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-32728 – End-to-end encryption device setup did not verify public key
https://notcve.org/view.php?id=CVE-2021-32728
18 Aug 2021 — The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This is... • https://github.com/nextcloud/desktop/pull/3338 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37841
https://notcve.org/view.php?id=CVE-2021-37841
12 Aug 2021 — Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. Docker Desktop versiones anteriores a 3.6.0, sufre de un control de acceso incorrecto. Si una cuenta poco privilegiada es capaz de a... • https://docs.docker.com/docker-for-windows/release-notes • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 1CVE-2021-22895 – Debian Security Advisory 4974-1
https://notcve.org/view.php?id=CVE-2021-22895
11 Jun 2021 — Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. Nextcloud Desktop Client versiones anteriores a 3.3.1, es vulnerable a una comprobación inapropiada de certificados debido a una falta de comprobación de certificados SSL cuando se usa el flujo "Register with a Provider" Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosur... • https://github.com/nextcloud/desktop/pull/2926 • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 2%CPEs: 2EXPL: 1CVE-2021-22879 – Gentoo Linux Security Advisory 202105-37
https://notcve.org/view.php?id=CVE-2021-22879
14 Apr 2021 — Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation. Nextcloud Desktop Client versiones anteriores a 3.1.3, es vulnerable a una inyección de recursos debido a una falta de comprobación de las URL, permitiendo a un servidor malicioso ejecutar comandos remotos. Una interacción del usuario es necesaria para su explotación A vulnerability in Nextcloud ... • https://github.com/nextcloud/desktop/pull/2906 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8225
https://notcve.org/view.php?id=CVE-2020-8225
18 Sep 2020 — A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials. Un almacenamiento de texto sin cifrar de información confidencial en Nextcloud Desktop Client versión 2.6.4, proporcionó información sobre los proxies usados y sus credenciales de autenticación • https://hackerone.com/reports/685990 • CWE-312: Cleartext Storage of Sensitive Information •