CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25524
https://notcve.org/view.php?id=CVE-2021-25524
Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID. Un almacenamiento no seguro de la información del dispositivo en Contacts versiones anteriores a 12.7.05.24, permite a un atacante conseguir el ID de la cuenta de Samsung • https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12 • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39221 – XSS in Contacts
https://notcve.org/view.php?id=CVE-2021-39221
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. • https://github.com/nextcloud/contacts/pull/2407 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8280
https://notcve.org/view.php?id=CVE-2020-8280
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. Una falta de comprobación del tipo de archivo en Nextcloud Contacts 3.4.0, permite a un usuario malicioso cargar archivos SVG como archivos PNG para llevar a cabo ataques de tipo cross-site scripting (XSS) • https://hackerone.com/reports/998422 https://nextcloud.com/security/advisory/?id=NC-SA-2020-044 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-8281
https://notcve.org/view.php?id=CVE-2020-8281
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. Una falta de comprobación de tipo de archivo en Nextcloud Contacts versión 3.3.0, permite a un usuario malicioso cargar archivos SVG maliciosos para llevar a cabo ataques de tipo cross-site scripting • https://hackerone.com/reports/894876 https://nextcloud.com/security/advisory/?id=NC-SA-2020-045 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8181
https://notcve.org/view.php?id=CVE-2020-8181
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. Una falta de comprobación de tipo archivo en Nextcloud Contacts versión 3.2.0, permitió a un usuario malicioso cargar cualquier archivo como avatars • https://hackerone.com/reports/808287%2C https://nextcloud.com/security/advisory/?id=NC-SA-2020-024 • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-840: Business Logic Errors •