Page 4 of 54 results (0.006 seconds)

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue. • https://github.com/nextcloud/desktop/pull/5233 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg https://hackerone.com/reports/1788598 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. It is possible to make a user send any POST request with an arbitrary body given they click on a malicious deep link on a Windows computer. (e.g. in an email, chat link, etc). There are currently no known workarounds. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.2. • https://github.com/nextcloud/desktop/pull/5106 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4gfv-xqpx-42qj • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización de escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4944 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 https://hackerone.com/reports/1668028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 1

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Nextcloud también incluye una utilidad CLI llamada nextcloudcmd que a veces se utiliza para scripts automatizados y servidores headless. • https://github.com/nextcloud/desktop/issues/4927 https://github.com/nextcloud/desktop/pull/5022 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv https://hackerone.com/reports/1699740 • CWE-295: Improper Certificate Validation •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue. Nexcloud Desktop es el cliente de sincronización del Escritorio para Nextcloud. • https://github.com/nextcloud/desktop/pull/4972 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p https://hackerone.com/reports/1707977 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •