Page 3 of 29 results (0.017 seconds)

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 https://hackerone.com/reports/1668028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Nextcloud también incluye una utilidad CLI llamada nextcloudcmd que a veces se utiliza para scripts automatizados y servidores headless. • https://github.com/nextcloud/desktop/issues/4927 https://github.com/nextcloud/desktop/pull/5022 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv https://hackerone.com/reports/1699740 • CWE-295: Improper Certificate Validation •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p https://hackerone.com/reports/1707977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8 https://hackerone.com/reports/1711847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. As a workaround, users can block the Nextcloud Desktop client 3.6.0 by setting the `minimum.supported.desktop.version` system config to `3.6.1` on the server, so new files designed to use this attack vector are not downloaded anymore. • https://github.com/nextcloud/desktop/pull/5039 https://github.com/nextcloud/desktop/releases/tag/v3.6.1 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3w86-rm38-8w63 https://github.com/nextcloud/server/pull/34559 • CWE-94: Improper Control of Generation of Code ('Code Injection') •