CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2021-32728 – End-to-end encryption device setup did not verify public key
https://notcve.org/view.php?id=CVE-2021-32728
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. • https://github.com/nextcloud/desktop/pull/3338 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f5fr-5gcv-6cc5 https://hackerone.com/reports/1189162 https://www.debian.org/security/2021/dsa-4974 • CWE-295: Improper Certificate Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37841
https://notcve.org/view.php?id=CVE-2021-37841
Docker Desktop before 3.6.0 suffers from incorrect access control. If a low-privileged account is able to access the server running the Windows containers, it can lead to a full container compromise in both process isolation and Hyper-V isolation modes. This security issue leads an attacker with low privilege to read, write and possibly even execute code inside the containers. Docker Desktop versiones anteriores a 3.6.0, sufre de un control de acceso incorrecto. Si una cuenta poco privilegiada es capaz de acceder al servidor que ejecuta los contenedores de Windows, puede conllevar a un compromiso del contenedor completo en los modos de aislamiento de procesos y de aislamiento de Hyper-V. • https://docs.docker.com/docker-for-windows/release-notes • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 1CVE-2021-22895
https://notcve.org/view.php?id=CVE-2021-22895
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow. Nextcloud Desktop Client versiones anteriores a 3.3.1, es vulnerable a una comprobación inapropiada de certificados debido a una falta de comprobación de certificados SSL cuando se usa el flujo "Register with a Provider" • https://github.com/nextcloud/desktop/pull/2926 https://github.com/nextcloud/desktop/releases/tag/v3.1.3 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5 https://hackerone.com/reports/903424 https://www.debian.org/security/2021/dsa-4974 • CWE-295: Improper Certificate Validation •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1CVE-2021-22879
https://notcve.org/view.php?id=CVE-2021-22879
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation. Nextcloud Desktop Client versiones anteriores a 3.1.3, es vulnerable a una inyección de recursos debido a una falta de comprobación de las URL, permitiendo a un servidor malicioso ejecutar comandos remotos. Una interacción del usuario es necesaria para su explotación • https://github.com/nextcloud/desktop/pull/2906 https://hackerone.com/reports/1078002 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTWBJAS5DJJIK7LLVBZZQTSJASUVIRVE https://nextcloud.com/security/advisory/?id=NC-SA-2021-008 https://security.gentoo.org/glsa/202105-37 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6021
https://notcve.org/view.php?id=CVE-2015-6021
Spiceworks Desktop before 2015-12-01 has XSS via an SNMP response. Spiceworks Desktop en versiones anteriores a 01-12-2015 tiene un XSS a través de una respuesta SNMP. • https://community.rapid7.com/community/infosec/blog/2015/12/16/multiple-disclosures-for-multiple-network-management-systems • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •