CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2023-33182 – Nextcloud Contacts photos only sanitized if mime type is all lower case
https://notcve.org/view.php?id=CVE-2023-33182
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4 • https://github.com/nextcloud/contacts/pull/3199 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx https://hackerone.com/reports/1789602 • CWE-20: Improper Input Validation •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25524
https://notcve.org/view.php?id=CVE-2021-25524
Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID. Un almacenamiento no seguro de la información del dispositivo en Contacts versiones anteriores a 12.7.05.24, permite a un atacante conseguir el ID de la cuenta de Samsung • https://security.samsungmobile.com/serviceWeb.smsb?year=2021&month=12 • CWE-922: Insecure Storage of Sensitive Information •