DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2022-39331", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-39331", "description": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.", "published": "2022-11-25T19:15:00", "modified": "2022-12-01T13:37:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39331", "reporter": "security-advisories@github.com", "references": ["https://github.com/nextcloud/desktop/pull/4944", "https://hackerone.com/reports/1668028", "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"], "cvelist": ["CVE-2022-39331"], "immutableFields": [], "lastseen": "2022-12-01T15:27:11", "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "debiancve", "idList": ["DEBIANCVE:CVE-2022-39331"]}, {"type": "hackerone", "idList": ["H1:1668028"]}, {"type": "nextcloud", "idList": ["GHSA-C3XH-Q694-6RC5"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2022-39331"]}]}, "score": {"value": 2.7, "vector": "NONE"}, "twitter": {"counter": 6, "tweets": [{"link": "https://twitter.com/threatintelctr/status/1596231469814407168", "text": " NEW: CVE-2022-39331 Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommen... (click for more) https://t.co/Ru4ofwF1cu", "author": "threatintelctr", "author_photo": "https://pbs.twimg.com/profile_images/904224973987840000/dMy1x9Ho_400x400.jpg"}, {"link": "https://twitter.com/VulmonFeeds/status/1596268944339488768", "text": "CVE-2022-39331\n\nNexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that...\n\nhttps://t.co/Q1FDumwvHs", "author": "VulmonFeeds", "author_photo": "https://pbs.twimg.com/profile_images/945758793161498625/67b3PEYK_400x400.jpg"}, {"link": "https://twitter.com/vulnonym/status/1596285007265505283", "text": "Let the annals of the day show that CVE-2022-39331... has been granted the moniker Relevant Weir\nhttps://t.co/BCjj2piQJd", "author": "vulnonym", "author_photo": "https://pbs.twimg.com/profile_images/1235605772878438405/6p9IJVtn_400x400.jpg"}, {"link": "https://twitter.com/www_sesin_at/status/1596413541988417538", "text": "New post from https://t.co/9KYxtdZjkl (CVE-2022-39331 | Nexcloud Desktop up to 3.6.0 cross site scripting (GHSA-c3xh-q694-6rc5)) has been published on https://t.co/T1Eq0uBj9S", "author": "www_sesin_at", "author_photo": "https://pbs.twimg.com/profile_images/958100963822329858/fb_N8h5n_400x400.jpg"}, {"link": "https://twitter.com/WolfgangSesin/status/1596413539996033030", "text": "New post from https://t.co/uXvPWJy6tj (CVE-2022-39331 | Nexcloud Desktop up to 3.6.0 cross site scripting (GHSA-c3xh-q694-6rc5)) has been published on https://t.co/1afEzvF6TC", "author": "WolfgangSesin", "author_photo": "https://pbs.twimg.com/profile_images/957011635369054208/Om3jbj7z_400x400.jpg"}]}, "affected_software": {"major_version": [{"name": "nextcloud desktop", "version": 3}]}, "vulnersScore": 2.7}, "_state": {"dependencies": 1670066695, "score": 1670067917, "twitter": 0, "affected_software_major_version": 1671611801}, "_internal": {"score_hash": "2ea3851e66d03fef47ca13142fff5028"}, "cna_cvss": {"cna": "GitHub, Inc.", "cvss": {"3": {"vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "score": 4.6}}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "nextcloud:desktop", "version": "3.6.1", "operator": "lt", "name": "nextcloud desktop"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:nextcloud:desktop:3.6.1:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.1", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://github.com/nextcloud/desktop/pull/4944", "name": "https://github.com/nextcloud/desktop/pull/4944", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://hackerone.com/reports/1668028", "name": "https://hackerone.com/reports/1668028", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5", "refsource": "CONFIRM", "tags": ["Third Party Advisory"]}]}

{"nextcloud": [{"lastseen": "2022-12-01T16:09:00", "description": "## Description\n\n### Impact\n\nAn attacker can inject arbitrary HyperText Markup Language into the Desktop Client application.\n\n### Patches\n\nIt is recommended that the Nextcloud Desktop client is upgraded to 3.6.1\n\n### Workarounds\n\nNo workaround available\n\n### References\n\n * [HackerOne](<https://hackerone.com/reports/1668028>)\n * [PullRequest](<https://github.com/nextcloud/desktop/pull/4944>)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n * Create a post in [nextcloud/security-advisories](<https://github.com/nextcloud/security-advisories/discussions>)\n * Customers: Open a support ticket at [support.nextcloud.com](<https://support.nextcloud.com>)\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-11-25T11:30:04", "type": "nextcloud", "title": "XSS in Desktop Client in the notifications", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-39331"], "modified": "2022-11-25T11:30:04", "id": "GHSA-C3XH-Q694-6RC5", "href": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5", "cvss": {"score": 0.0, "vector": "NONE"}}], "veracode": [{"lastseen": "2022-12-09T12:33:21", "description": "nextcloud-desktop is vulnerable to cross-site scripting. An attacker can inject and execute malicious HyperText Markup Language into the Desktop Client application through the notifications\n", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-12-05T05:26:42", "type": "veracode", "title": "Cross-site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2022-39331"], "modified": "2022-12-06T03:32:15", "id": "VERACODE:38332", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-38332/summary", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntucve": [{"lastseen": "2022-12-02T13:09:35", "description": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can\ninject arbitrary HyperText Markup Language into the Desktop Client\napplication in the notifications. It is recommended that the Nextcloud\nDesktop client is upgraded to 3.6.1. There are no known workarounds for\nthis issue.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-11-25T00:00:00", "type": "ubuntucve", "title": "CVE-2022-39331", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-39331"], "modified": "2022-11-25T00:00:00", "id": "UB:CVE-2022-39331", "href": "https://ubuntu.com/security/CVE-2022-39331", "cvss": {"score": 0.0, "vector": "NONE"}}], "debiancve": [{"lastseen": "2023-02-05T02:07:43", "description": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-11-25T19:15:00", "type": "debiancve", "title": "CVE-2022-39331", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-39331"], "modified": "2022-11-25T19:15:00", "id": "DEBIANCVE:CVE-2022-39331", "href": "https://security-tracker.debian.org/tracker/CVE-2022-39331", "cvss": {"score": 0.0, "vector": "NONE"}}], "hackerone": [{"lastseen": "2023-02-03T02:24:23", "bounty": 750.0, "description": "## Summary:\nThe `Nextcloud Desktop Client` application does not properly neutralize the names of files before using them.\n\n## Steps To Reproduce:\n\n### Server Machine\n1. Install the `Nextcloud Server` application\n2. Log into your account\n\n### Client Machine\n3. Install the `Nextcloud Desktop Client` application onto a machine that is running the `Windows 10` operating system\n4. Log into your account\n\n### Server Machine\n5. Upload any file to your `Nextcloud Server` instance\n6. Rename the file that you uploaded to `<h1><b><i><u>MikeIsAStar`\n\n### Client Machine\n7. Wait until a notification appears exclaiming that some files could not synchronized\n8. Open the main dialog window of the `Nextcloud Desktop Client` application\n9. Observe that the name of the file that you uploaded is treated as `HyperText Markup Language`\n\n## Supporting Material/References:\n{F1864812}\n\n## Impact\n\nAn attacker can inject arbitrary `HyperText Markup Language` into the `Nextcloud Desktop Client` application.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-08-12T19:00:00", "type": "hackerone", "title": "Nextcloud: XSS in Desktop Client in the notifications", "bulletinFamily": "bugbounty", "cvss2": {}, "cvelist": ["CVE-2022-39331"], "modified": "2022-11-25T11:29:58", "id": "H1:1668028", "href": "https://hackerone.com/reports/1668028", "cvss": {"score": 0.0, "vector": "NONE"}}]}