Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-39331 (GCVE-0-2022-39331)
Vulnerability from cvelistv5 – Published: 2022-11-25 00:00 – Updated: 2025-11-03 18:08
VLAI?
EPSS
Summary
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 3.6.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T18:08:02.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/nextcloud/desktop/pull/4944"
},
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/1668028"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39331",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:00.460239Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:00:31.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 3.6.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-25T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"url": "https://github.com/nextcloud/desktop/pull/4944"
},
{
"url": "https://hackerone.com/reports/1668028"
}
],
"source": {
"advisory": "GHSA-c3xh-q694-6rc5",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting (XSS) in Nexcloud Desktop Client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39331",
"datePublished": "2022-11-25T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-11-03T18:08:02.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.6.1\", \"matchCriteriaId\": \"A7633B29-D30E-483A-BDB1-41514D9358A6\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.\"}, {\"lang\": \"es\", \"value\": \"Nexcloud Desktop es el cliente de sincronizaci\\u00f3n de escritorio para Nextcloud. Un atacante puede inyectar un lenguaje de marcado de hipertexto arbitrario en la aplicaci\\u00f3n del cliente de escritorio en las notificaciones. Se recomienda actualizar el cliente de escritorio Nextcloud a 3.6.1. No se conocen workarounds para este problema.\"}]",
"id": "CVE-2022-39331",
"lastModified": "2024-11-21T07:18:03.333",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"baseScore\": 4.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
"published": "2022-11-25T19:15:11.250",
"references": "[{\"url\": \"https://github.com/nextcloud/desktop/pull/4944\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1668028\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/desktop/pull/4944\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1668028\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-39331\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-25T19:15:11.250\",\"lastModified\":\"2025-11-03T19:15:40.543\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.\"},{\"lang\":\"es\",\"value\":\"Nexcloud Desktop es el cliente de sincronizaci\u00f3n de escritorio para Nextcloud. Un atacante puede inyectar un lenguaje de marcado de hipertexto arbitrario en la aplicaci\u00f3n del cliente de escritorio en las notificaciones. Se recomienda actualizar el cliente de escritorio Nextcloud a 3.6.1. No se conocen workarounds para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.6.1\",\"matchCriteriaId\":\"A7633B29-D30E-483A-BDB1-41514D9358A6\"}]}]}],\"references\":[{\"url\":\"https://github.com/nextcloud/desktop/pull/4944\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1668028\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/desktop/pull/4944\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1668028\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/nextcloud/desktop/pull/4944\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://hackerone.com/reports/1668028\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-11-03T18:08:02.683Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-39331\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-22T15:41:00.460239Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-22T15:41:07.685Z\"}}], \"cna\": {\"title\": \"Cross-site Scripting (XSS) in Nexcloud Desktop Client\", \"source\": {\"advisory\": \"GHSA-c3xh-q694-6rc5\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nextcloud\", \"product\": \"security-advisories\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5\"}, {\"url\": \"https://github.com/nextcloud/desktop/pull/4944\"}, {\"url\": \"https://hackerone.com/reports/1668028\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-11-25T00:00:00.000Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-39331\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-03T18:08:02.683Z\", \"dateReserved\": \"2022-09-02T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-11-25T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GSD-2022-39331
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-39331",
"description": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"id": "GSD-2022-39331",
"references": [
"https://www.suse.com/security/cve/CVE-2022-39331.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-39331"
],
"details": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"id": "GSD-2022-39331",
"modified": "2023-12-13T01:19:20.398194Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39331",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) in Nexcloud Desktop Client"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_value": "\u003c 3.6.1"
}
]
}
}
]
},
"vendor_name": "nextcloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5",
"refsource": "CONFIRM",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"name": "https://github.com/nextcloud/desktop/pull/4944",
"refsource": "MISC",
"url": "https://github.com/nextcloud/desktop/pull/4944"
},
{
"name": "https://hackerone.com/reports/1668028",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1668028"
}
]
},
"source": {
"advisory": "GHSA-c3xh-q694-6rc5",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39331"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/desktop/pull/4944",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/desktop/pull/4944"
},
{
"name": "https://hackerone.com/reports/1668028",
"refsource": "MISC",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1668028"
},
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2022-12-01T13:37Z",
"publishedDate": "2022-11-25T19:15Z"
}
}
}
OPENSUSE-SU-2023:0090-1
Vulnerability from csaf_opensuse - Published: 2023-04-12 10:56 - Updated: 2023-04-12 10:56Summary
Security update for nextcloud-desktop
Notes
Title of the patch
Security update for nextcloud-desktop
Description of the patch
This update for nextcloud-desktop fixes the following issues:
nextcloud-desktop was updated to 3.8.0:
- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix 'Create new folder' menu entries in settings not working correctly on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until clicked on
- Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
- Fix infinite loading in the share dialog when public link shares are disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes
- This also fix security issues:
- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
- Update to 3.7.4
- check German translation for wrong wording
- Fix 'Create new folder' menu entries in settings not working correctly on macOS
- Clean up account creation and deletion code
- Fix share dialog infinite loading
- fix edit locally job not finding the user account: wrong user id
- skip e2e encrypted files with empty filename in metadata
- Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
- use new connect syntax
- with cfapi when dehydrating files add missing flag
- Fix avatars not showing up in settings dialog account actions until clicked on
- Fix text labels in Sync Status component
- Fix infinite loading in the share dialog when public link shares are disabled on the server
- Ci/clang tidy checks init variables
- Display 'Search globally' as the last sharees list element
- Resize WebView widget once the loginpage rendered
- Bugfix/do not restore virtual files
- Fix display of 2FA notification.
- Update to 3.7.3
- Revert 'Fix(l10n): capital_abcd Update translations from Transifex'
- Revert 'Fix(l10n): capital_abcd Update translations from Transifex'
- Revert 'Fix(l10n): capital_abcd Update translations from Transifex'
- Update to 3.7.2
- No regular changelog from upstream.
See instead: https://github.com/nextcloud/desktop/compare/v3.7.1...v3.7.2
- Update to 3.7.1
- Backport/5393/stable 3.7 by @mgallien in #5403
- Fix wrong estimated time when doing sync. in #4902
- Bugfix/selective sync abort error in #4903
- Set UnifiedSearchResultNothingFound visibility less messily in #4751
- Clean up QML type and singleton registration in #4817
- Simplify activity list delegates by making them ItemDelegates, clean up in #4786
- Improve activity list highlighting/keyboard item selection in #4781
- Replace private API QZipWriter with KArchive in #4768
- makes Qt WebEngine optional only on macOS in #4875
- Bugfix/conflict resolution when selecting folder in #4914
- Fix fileactivitylistmodel QML registration in #4920
- Updated link to documentation in #4792
- Fix menu bar height calculation on macOS in #4917
- Fix ActivityItem activityHover error in #4921
- Fix add account window text clipping, enlarge text in #4910
- Accept valid lsColJob reply XML content types in #4919
- Fix low-resolution file changed overlay icons in activities in #4930
- Refactor ActivityListModel population mechanisms in #4736
- Make account setup wizard's adjustWizardSize resize to current page size instead of largest wizard page in #4911
- Deallocate call notification dialog objects when closed by @claucambra in #4939
- Ensure that the file being processed has had its etag properly sanitised, log etag more in #4940
- Feature/syncjournaldb handle errors in #4819
- Do not format text in QML components as HTML in #4944
- Fix two factor auth notification: activity item was disabled. in #4961
- Add a placeholder item for empty activity list in #4959
- Ensure strings in main window QML are presented as plain text and not HTML by @claucambra in #4972
- Improve handling of file name clashes by @claucambra in #4970
- Add a QSortFilterProxyModel-based SortedActivityListModel by @claucambra in #4933
- Bring back .lnk files on Windows and always treat them as non-virtual files. by @allexzander in #4968
- Fix two factor authentication notification by @camilasan in #4967
- Ensure placeholder message in emoji picker wraps correctly in #4960
- Make activity action button an actual button, clean up contents in #4784
- Improve the error box QML component in #4976
- Fix 'Reply' primary property. in #4985
- Fix sync progress bar colours in dark mode in #4986
- Fix predefined status text formatting in #4987
- Don't set up tray context menu on macOS, even if not building app bundle in #4988
- Ci/check clang tidy in ci in #4995
- check our code with clang-tidy in #4999
- alway use constexpr for all text constants in #4996
- avoid possibly crashing static_cast in #4994
- switch AppImage CI to latest tag: client-appimage-6 in #5003
- configure a list of checks for clang-tidy in #5004
- Fix link shares default expire date being enforced as maximum expire date even when maximum date enforcement is disabled on the server in #4982
- apply modernize-use-using via clang-tidy in #4993
- Ci/use no discard in #4992
- Fix files not unlocking after lock time expired in #4962
- Update client image in #5002
- let's check the format via some github action in #4991
- Feature/vfs windows sharing and lock state in #4942
- Update after tx migrate in #5019
- Improve 'Handle local file editing' feature. Add loading popup. Add force sync before opening a file. in #4990
- Command-line client. Do not trust SSL certificates by default, unless '--trust' option is set. in #5022
- Bugfix/files lock fail metadata in #5024
- do not ignore return value in #4998
- improve logs when adding sync errors in activity list of main dialog in #5032
- Fix invisible user status selector button not being checked when user is in Offline mode in #5012
- use correct version copmparison on NSIS updater: fix update from rc in #4979
- Bugfix/check token for edit locally requests in #5039
- Fix the dismiss button: display it whenever possible. in #4989
- Fix account not found when doing local file editing. in #5040
- Improve 'pretty user name'-related strings, display in webflow credentials in #5013
- Update CHANGELOG with 3.6.1 changes. in #5066
- Fix call notification dialog buttons in #5074
- validate certificate for E2EE against private key in #4949
- emit missing signal to update folder sync status icon in #5087
- Update CMake usage in README build instructions in #5086
- Clean up methods in sync engine in #5071
- Make Systray's void methods slots in #5042
- Remove unneeded parameter from CleanupPollsJob constructor in #5070
- Add a 'Sync now' button to the sync status header in the tray window in #5018
- Modernise and improve code in AccountManager in #5026
- Fix macOS autoupdater settings in #5102
- Validate and sanitise edit locally token and relpath before sending to server in #5093
- Refactor FolderMan's 'Edit Locally' capabilities as separate class in #5107
- Modernise and improve code in AccountSettings in #5027
- Fix compatibility with newer python3-nautilus in #5105
- Only show Sync Now button if account is connected in #5097
- use new public API to open an edit locally URL in #5116
- Add a new file details window, unify file activity and sharing in #4929
- E2EE. Do not generate keypair without user request. in #5067
- Fix incorrect current user index when adding or removing a user account. Also fix incorrect user avatar lookup by id. in #5092
- Remove unused internal link widget from old share dialog in #5123
- Use separate variable for cfg file name in CMAKE. in #5136
- Bugfix/delete folders during propagation even when propagation has errors in #5104
- Remove unused app pointer in CocoaInitializer in #5127
- Ensure 'Sync now' button doesn't have its text elided in #5129
- Fix share delegate button icon colors in dark mode in #5132
- Do not use copy-assignment of QDialog. in #5148
- Remove unused remotePath in User::processCompletedSyncItem in #5118
- Make user status selector modal, show user header in #5145
- properly escape a path when creating a test file during tests in #5151
- Add support cmake unity build in #5109
- Fix typo of connector in #5157
- fully qualify types in signals and slots in #5088
- Remove reference to inexistent property in NCCustomButton in #5173
- Fix ActivityList delegate warnings in #5172
- Ensure forcing a folder to be synced unpauses syncing on said folder in #5152
- switch back to upstream craft in #5178
- fix renaming of folders with a deep hierarchy inside them in #5182
- fix instances of: c++11 range-loop might detach Qt container warnings in #5089
- Implement context menu entry 'Leave this share' in #5081
- check that we update local file mtime on changes from server in #5188
- Add end-to-end tests to our CI in #5124
- Modernize the Dolphin action plugin in #5192
- Ci/do not modify configuration file duringtests in #5200
- cmake: Use FindPkgConfig's pkg_get_variable instead of custom macro in #5199
- Fix tray window margins, stop cutting into window border in #5202
- fix regressions on pinState management when doing renames in #520
- Fix bad custom button alignments, sizings, etc. in #5189
- Ci/do not override configuration file in #5206
- Clearly tell user that E2EE has been enabled for an account in #5164
- Fix CfApiShellExtensionsIPCTest in #5209
- l10n: Fixed grammar in #5220
- Prevent bad encrypting of folder if E2EE has not been correctly set up in #5223
- Remove close/dismiss button from encryption message in #5163
- Update macOS shell integration deployment targets in #5227
- Bugfix/case cash conflicts should not terminate sync in #5224
- Differentiate between E2EE not being enabled at all vs. E2EE being enabled already through another device in account settings message in #5179
- Ensure more QML text components are rendering things as plain text in #5231
- l10n: Correct spelling in #5221
- Make use of plain text-enforcing qml labels in #5233
- Feature/edit file locally restart sync in #5175
- Fix CI errors for Edit Locally. in #5241
- Lock file when editing locally in #5226
- Format some QLabels as plain text in #5247
- do not create GUI from a random thread and show error on real error in #5253
- Fix BasicComboBox internal layout in #5216
- Explicitly size and align user status selector text input to avoid bugs with alternate QtQuick styles in #5214
- do not use bulk upload for e2ee files in #5256
- Only show mnemonic request dialog when user explicitly wants to enable E2EE in #5181
- Replace share settings popup with a page on a StackView in #5194
- Add interactive NC Talk notifications on macOS in #5143
- Show file details within the tray dialog, rather than in a separate dialog in #5139
- Silence sync termination errors when running EditLocallyJob. in #5261
- Fix typo in #5257
- Add an 'Encrypt' menu entry in file browser context menu for folders in #5263
- Add a nix flake for easy building and dev environments in #5007
- Add an internal link share to the share dialog in #5131
- Avoid the Get-Task-Allow Entitlement (macOS Notarization) in #5274
- sets a fixed version for pixman when buildign desktop client via Craft in #5269
- Fix SyncEngineTest failure when localstate is destroyed. in #5273
- Feature/remove obsolete names in #5271
- Remove unused HeaderBanner component in #5245
- Feature/do not sync enc folders if e2ee is not setup in #5258
- fix migration from old settings configuration files in #5141
- Use QFileInfo::exists where we are only creating a QFileInfo to check if file exists in #5291
- Make correct use of Qt signal 'emit' keyword in #5287
- Remove unused variables in #5290
- Declare all QRegularExpressions statically in #5289
- l10n: Remove space in #5297
- Feature/move shellextensions to root installdir in #5295
- Improve backup dark mode palette for Windows in #5298
- Allow setting up an account with apppasword and folder via command-line arguments. For deployment. in #5296
- Update file's metadata in the local database when the etag changes while file remains unchanged.
Fix subsequent conflict when locking and unlocking. in #5293
- Fix warnings on QPROPERTY-s in #5286
- Replace now deprecated FSEventStreamScheduleWithRunLoop with FSEventStreamSetDispatchQueue in #5272
- Fix macOS shell integration class inits in #5299
- Drop dependency on Qt Quick Controls 1 in #5309
- Fix full-text search results not being opened in browser in #5279
- Feature/allow forceoverrideurl via command line in #5329
- Bugfix/e2ee vulnerability empty metadatakeys in #5323
- Always generate random initialization vector when uploading encrypted file in #5324
- Fix bad string for translation. in #5358
- Update legal notice to 2023 in #5361
- Fix migration from legacy client when override server url is set in #5322
- Don't try to lock folders when editing locally in #5317
- Fix fetch more unified search result item not being clickable in #5266
- Add ability to disable E2EE in #5167
- Remove unused monochrome icons setting in #5366
- Feature/sync with case clash names in #5232
- Edit locally. Do not lock if locking is disabled on the server. in #5371
- Revert 'Merge pull request #5366 from nextcloud/bugfix/remove-mono-icons-setting' in #5372
- Open calendar notifications in the browser. in #4684
- Migrate old configs in #5362
- Always unlock E2EE folders, even when network failure or crash. in #5370
- Fix displaying of file details button for local syncfileitem activities in #5380
- Improve config upgrade warning dialog in #5386
- Backport/5385/stable 3.7 in #5388
- Update to 3.6.6
- Revert 'Fix(l10n): capital_abcd Update translations from Transifex' 33f3975
- Update to 3.6.5
- do not assert when sharing to a circle in #5310
- Fix macOS shell integration class inits in #5311
- Drop dependency on Qt Quick Controls 1 in #5312
- Feature/allow forceoverrideurl via command line in #5332
- Fix typo in #5270
- check that we update local file mtime on changes from server in #5321
- fix regressions on pinState management when doing renames in #5333
- Always generate random initialization vector when uploading encrypted file in #5334
- Fix SyncEngineTest failure when localstate is destroyed. in #5336
- Bugfix/e2ee vulnerability empty metadatakeys in #5335
- Update to 3.6.4
- do not create GUI from a random thread and show error on real error
- Update to 3.6.3
- Fix typo of connector
- fix renaming of folders with a deep hierarchy inside them
- Make user status selector modal, show user header
- Prevent bad encrypting of folder if E2EE has not been correctly set up
- Feature/edit file locally restart sync
- Add forcefoldersync method to folder manager
- Make use of plain text-enforcing qml labels
- Lock file when editing locally
- Format some QLabels as plain text
- Update to 3.6.2
- Fix call notification dialog buttons by @backportbot-nextcloud in #5075
- emit missing signal to update folder sync status icon by @backportbot-nextcloud in #5090
- Fix macOS autoupdater settings by @backportbot-nextcloud in #5103
- Validate and sanitise edit locally token and relpath
before sending to server by @backportbot-nextcloud in #5106
- Fix compatibility with newer python3-nautilus by @backportbot-nextcloud in #5112
- Refactor FolderMan's 'Edit Locally' capabilities
as separate class by @backportbot-nextcloud in #5111
- use new public API to open an edit locally URL by @backportbot-nextcloud in #5117
- Use separate variable for cfg file name in CMAKE. by @backportbot-nextcloud in #5140
- Fix stable-3.6 compile on macOS by @claucambra in #5154
- Fix bad backport of CustomButton changes in Stable-3.6 by @claucambra in #5155
- Backport/5067/stable 3.6 by @allexzander in #5153
- Backport/5092/stable 3.6 by @allexzander in #5156
- properly escape a path when creating a test file during tests by @backportbot-nextcloud in #5158
- Split out the dbus service related files that provides
libcloudproviders integration for nextcloud desktop client into
a separate package; when this is installed, launching any
app supporting libowncloudproviders (e.g. nautilus on GNOME)
will automatically launch the desktop client -- which is rather
annoying to happen by default, esp. in cases where a user does
not even have a nextcloud account (gh#nextcloud/desktop#1982,
gh#nextcloud/desktop#2622).
- Make the extension working again on Nautilus 43.
This patch also support previous Nautilus versions.
- Update to 3.6.1
- Fix wrong estimated time when doing sync.
- Bugfix/selective sync abort error
- Bugfix/conflict resolution when selecting folder
- Fix menu bar height calculation on macOS
- Fix add account window text clipping, enlarge text
- Accept valid lsColJob reply XML content types
- Fix low-resolution file changed overlay icons in activities
- Deallocate call notification dialog objects when closed
- Ensure that the file being processed has had its etag properly sanitised, log etag more
- Ensure strings in main window QML are presented as plain text and not HTML
- Do not format text in QML components as HTML
- Fix two factor authentication notification
- Bring back .lnk files on Windows and always treat them as non-virtual files.
- Fix 'Reply' primary property.
- Update after tx migrate
- Command-line client. Do not trust SSL certificates by default,
unless '--trust' option is set.
- Fix invisible user status selector button not being checked when user is in Offline mode
- Fix link shares default expire date being enforced as maximum expire date
even when maximum date enforcement is disabled on the server
- Backport/4989/stable 3.6
- use correct version copmparison on NSIS updater: fix update from rc
- Improve 'Handle local file editing' feature. Add loading popup. Add f…
- Backport/5039/bugfix/check token for edit locally requests
- Fix account not found when doing local file editing.
- Fix two factor auth notification: activity item was disabled.
- Fix predefined status text formatting
- Fix sync progress bar colours in dark mode
- Improve handling of file name clashes
- Ensure placeholder message in emoji picker wraps correctly
- Update to 3.6.0
- Fix crash in cldapi.dll
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text color
- Fix crashing when selecting user status and predefined statuses not appearing
- Make user status dialog look in line with the rest of the desktop client tray and Nextcloud
- Add a placeholder message for the recents tab of the emoji picker
- Add SVG icon styled for macOS Big Sur
- Ensure the dispatch source only gets deallocated after the dispatch_source_cancel is done,
avoiding crashing of the Finder Sync Extension on macOS
- Properly adapt the UserStatusSelectorModel to QML, eliminate hacks, make code more declarative
- Fix the system tray menu not being correctly replaced in setupContextMenu on GNOME
- Make the share dialog resizeable
- Make client language gender-neutral and more clear
- Use an en-dash for the userstatus panel
- Close call notifications when the call has been joined by the user, or the call has ended
- Correct spelling
- Print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Windows CI. Use specific Craft revision.
- Add 'db/local/remote' reference to log string.
- Work around issues with window positioning on Linux DEs,
hardcode tray window to screen center when new account added
- Add a custom back button to the account wizard's advanced setup page
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Increase the call state checking interval to not overload the server
- Fix bad quote in CMakeLists PNG generation message
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been set
- Switch to using the main client CI image based on ubuntu 22.04
- Limit concurrent notifications
- Use macOS-specific application icon
- QML-ify the UserModel, use properties rather than setter methods
- Take ints by value rather than reference in UserModel methods
- Feature/vfs windows thumbnails
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Restyle unified search skeleton items animation and simplify their code
- Stop styling QML unified search items hierarchically, use global Style constants
- Use preprocessor directive rather than normal 'if' for UNNotification types
- Make apps menu scrollable when content taller than available vertical space,
preventing borking of layout
- Ensure that throttled notifications still appear in tray activity model
- Stop clearing notifications when new notifications are received
- Fix ActivityItemContent QML paintedWidth errors
- Clicking on an activity list item for a file opens the local file if available
- Replace unified search text field busy indicator with custom indicator
- Update macOS Info.plist
- Ensure debug archive contents are readable by any user
- Remove Ubuntu Impish, add Kinetic
- Make UserStatusSelector a dismissible page pushed onto the tray window
- Feature/handle edit locally
- Add Debian Bullseye build
- Double-clicking tray icon opens currently-selected user's local folder (if available)
- Clean up TalkReplyTextField, remove unnecessary parent Item
- Refactor user line
- Do not reboot PC when running an MSI via autoupdate.
- Always run MSI with full UI.
- Eliminate padding around the menu separator in the account menu
- Feature/enable more warnings also for gcc
- Move CFAPI shell extensions variables to root CMakeLists.
- Move URI scheme variable from Nextcloud.cmake to root CMakeListsts.
- Ensure SyncEngine use an initialized instance of SyncOptions
- Fix QML warnings
- I18n: Spelling unification
- Fix crash: 'Failed to create OpenGL context'.
- Fix bugs with setting 'Away' user status
- Fix greek translation for application name in menu
- Align, resize, and layout everything uniformly in the unified search view
- Remove libglib-2.0.so.0 and libgobject-2.0.so.0 from Appimage.
- Fix unified search item placeholder image source
- Use same tooltip component everywhere, fix tooltip clipping bugs
- Fix account switching and hover issues with UserLine component
- Remove Ubuntu Focal
- Add a ScrollView to the predefined statuses area of the UserStatusSelector
- Prevent the 'Cancel' button of the user status selector getting squashed
- Ensure that clear status message combo box is at least implicit width
- Fix alignment of predefined status contents regardless of emoji fonts
- Prevent crashing when trying to create error-ing QML component in systray.cpp, output error to log
- Add CHANGELOG.md.
- Ensure file activity dialog is centered on screen and appears at top of window stack
- Build script for AppImage should not assume Nextcloud is the name
- Fix File Activities dialog not showing up.
- Reads and store fileId and remote permissions during bulk upload
- Do not build qt keychain already included in the CI images
- Bugfix/web engine on win11
- Update CHANGELOG for the 3.6.0 release.
- Fix script that upload AppImage to go in correct path
- Update to 3.5.4
- Add and use DO_NOT_REBOOT_IN_SILENT=1 parameter for MSI to not reboot during the auto-update.
- Update to 3.5.3
- Fix the system tray menu not being correctly replaced in setupContextMenu on GNOME
- Ensure call notification stays on top of other windows
- Work around issues with window positioning on Linux DEs,
hardcode tray window to screen center when new account added
- Clean up systray methods, make more QML-friendly
- Refactor tray window opening code for clarity and efficiency
- Only set _FORTIFY_SOURCE when a higher level of this flag has not been set
- Limit concurrent notifications
- Take ints by value rather than reference in UserModel methods
- Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS
- Use preprocessor directive rather than normal 'if' for UNNotification types
- QML-ify the UserModel, use properties rather than setter methods
- Fix ActivityItemContent QML paintedWidth errors
- Stop clearing notifications when new notifications are received
- Ensure debug archive contents are readable by any user
- Stop styling QML unified search items hierarchically, use global Style constants
- Update macOS Info.plist
- print sync direction in SyncFileStatusTracker::slotAboutToPropagate
- Remove Ubuntu Impish, add Kinetic
- Ensure that throttled notifications still appear in tray activity model
- Make apps menu scrollable when content taller than available vertical space,
preventing borking of layout
- Update to 3.5.2
- Explicitly ask user for notification authorisation on launch (macOS)
- Fix crash caused by overflow in FinderSyncExtension
- add new fixup workflow from nextcloud org
- Display chat message inside the OS notification.
- Fix 'TypeError: Cannot readproperty 'messageSent' of undefined'.
- Add a transparent background to the send reply button.
- Fix build on macOS versions pre-11 (down to 10.14)
- Ignore Office temp folders on Mac ('.sb-' in folder name).
- Remove assert, it is no longer useful.
- Add contrast to the text/icon of buttons if the server defined color is light.
- fix general section
- Remove tooltip because it is only repeating the label of the link.
- bugfix/share-dialog
- Updating command-rebase.yml workflow from template
- Reply button size should be same as the input field, smaller + text color
- Close call notifications when the call has been joined by the user, or the call has ended
- Increase the call state checking interval to not overload the server
- Ensure the dispatch source only gets deallocated after
the dispatch_source_cancel is done, avoiding crashing of the Finder Sync Extension on macOS
* A more future-proof and distribution friendly fix for boo#1201070
- Fix Tumbleweed build and install error boo#1201070.
Use own CFLAGS for Tumblweed with -D_FORTIFY_SOURCE=2 instead of -D_FORTIFY_SOURCE=3.
- Update to 3.5.1
- Add new and correct sparkle update signature
- l10n: Remove string from translation
- l10n: Changed triple dot to ellipsis
- Ensure cache is stored in default cache location
- Updating command-rebase.yml workflow from template
- Remove '…' from 'Create Debug Archive' button
- docs: Replace 'preceded' with 'followed'
- only add OCS-APIREQUEST header for 1st request of webflow v1
- Make the make_universal.py script more verbose for easier debugging
- Revamp notifications for macOS and add support for actionable update notifications
- Use proper online status for user ('dnd', 'online', 'invisible', etc.) to enable or disable desktop notifications.
- Bugfix. Take root folder's files size into account when displaying the total size in selective sync dialog.
- Fix activity list item issues with colours/layout/etc.
- Bugfix/allow manual rename files with spaces
- Fixed share link expiration box being ineditable and always attempting to set invalid date
- Fix crashing of finder sync extension caused by dispatch_source_cancel of nullptr
- Simplify and remove the notification 'cache'
- Fix tray icon not displaying 'Open main dialog'
- if an exclude file is deleted, skip it and remove it from internal list
- Bugfix/two factor notification
- Fix visual borking in the share dialog
- add explicit capture for lambda
- Update to 3.5.0
- Require cmake 3.16
- Add testing for ActivityListModel
- Check for dbus-1 when building with cloudproviders
- Add ability to copy internal link from share dialog
- Feature/improve activity buttons
- Add thumbnails for files in the activity view
- Use proper API to dehydrate a placeholder file
- Feature/Talk Reply v1
- Ensure we emit a rename command for renamed files
- Remove Hirsute, add Jammy
- Allow account menu to scroll when content height is larger than menu height
- Always build with updater. Use 'beta/stable' channel selector in 'General Settins' dialog with default 'stable'.
- Cmake option to disable proxy
- Add support for server color theming
- No longer assume status bar height, calculate, fixing notch borking on new MacBook Pro
- Add a dark mode
- Generates pot files automatically.
- Add headers in cmake files to get them properly detected
- Ensure that bulk upload network job errors are handled
- Do not remove a folder that has files that were not uploaded yet during propagation
- L10n: Change to lowercase
- Simplify currentScreen in systray.cpp
- Fix warn colour in dark mode
- Do not remove files from a Group folder and its nested folders when it is renamed or removed while not allowed.
- Rollback local move on server move failure
- Implement local socket to communicate with finder extension
- Bugfix/prevent overflow with mtime
- L10n: Changed spelling
- Add 'Help' action back.
- Ensure file activity dialog appears in centre of screen
- Increase maximum text line count in tray activity items to two lines
- Fix file activity dialog
- Properly ask Qt to create qml opengl surface with proper options
- Old submodule url does not work anylonger
- Old submodule url does not work anylonger
- Prepare for 3.5.0-rc1
- Fix icon color and highlight color issues
- Fix for VFS crashes due to mimetype checking for thumbnails
- Fix various dark mode bugs
- Add a new yml github issue template for bug reports.
- Ensure we only store update channel not localized in settings
- Improve talk reply
- Prepare for 3.5.0-rc2
- Bugfix/talk reply part 2
- Darkmode. Fix crash on exit.
- Avoid deleting renamed file with spaces in name
- More dark mode fixes
- Ensure we do properly failed hydration jobs
- Fix build of appimage for branded clients
- Prepare for 3.5.0-rc3
- Feature/files lock
- Add call notification dialog.
- Fix thumbnails for new files made while client open
- Increase time between connection tries
- Improve contrast on server color themed elements
- Fix positioning of activities in the activities list
- Bugfix/activities fetch server overload
- Realigned and resized thumbnails
- Add user avatars in talk notifications in activity list
- Fix sparkle implementation in the desktop client
- Prepare 3.5.0-rc4
- Prepare final 3.5.0 release
- Update to 3.4.4
- Do not remove files from a Group
folder and its nested folders when it is renamed or removed
while not allowed.
- Bugfix/prevent overflow with mtime
- Old submodule url does not work anylonger
- Update to 3.4.3
- Remove Hirsute, add Jammy
- Cmake option to disable proxy
- ensure we emit a rename command for renamed files
- Makes sure that sync engine terminates when an error happen
- ensure that bulk upload network job errors are handled
- Rollback local move on server move failure
- Do not remove a folder that has files that were not uploaded yet during propagation
- Update to 3.4.2
- Bugfix/force re-login on SSL Handshake error
- Do not display 'Conflict when uploading some files to a folder
- Windows. MSI. Unregister Nextcloud folders in SyncRootManager on uninstall.
- Unbreak loading translations
- Hide share button for deleted files and ignored files in tray activity
- Display error message when creating a link share with compromised password.
- Bugfix. Re-init sharing manager to enable link sharing UI when receivng sharing permissions.
- Show only filenames in tray activity items, with full path in tooltip
- use proper API to dehydrate a placeholder file
- Add macOS *.textClipping files to ignore list
- Updatete to 3.4.1
- fix random error when updating CfApi metadata
- do not forget the path when renaming files with invalid names
- Bugfix/assert invalid modtime
- Feature/folder logo variations
- Always prefill username from Windows login name based on server version
- Bugfix/3.4.1 rc1
- Bugfix/sync stuck on error
- Bugfix/force download local invalid files
- Enforce VFS. Disable 'Make always available locally'.
- Bugfix/avoid sync getting stuck
- Fix CMake error in ECMAddAppIcon for mac
- Do not crash on findAndCancelDeletedJob
- ensure any errors after calling FileSystem::getModTime are handled
- Skiped version 3.4.0 because of modtime bug:
See: https://github.com/nextcloud/desktop/pull/4049
Please read the following wiki page How to fix files invalid modification date:
https://github.com/nextcloud/desktop/wiki/Fix-bug-invalid-modification-date
Patchnames
openSUSE-2023-90
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nextcloud-desktop",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nextcloud-desktop fixes the following issues:\n\nnextcloud-desktop was updated to 3.8.0:\n\n - Resize WebView widget once the loginpage rendered\n - Feature/secure file drop\n - Check German translation for wrong wording\n - L10n: Correct word\n - Fix displaying of file details button for local syncfileitem activities\n - Improve config upgrade warning dialog\n - Only accept folder setup page if overrideLocalDir is set\n - Update CHANGELOG.\n - Prevent ShareModel crash from accessing bad pointers\n - Bugfix/init value for pointers\n - Log to stdout when built in Debug config\n - Clean up account creation and deletion code\n - L10n: Added dot to end of sentence\n - L10n: Fixed grammar\n - Fix \u0027Create new folder\u0027 menu entries in settings not working correctly on macOS\n - Ci/clang tidy checks init variables\n - Fix share dialog infinite loading\n - Fix edit locally job not finding the user account: wrong user id\n - Skip e2e encrypted files with empty filename in metadata\n - Use new connect syntax\n - Fix avatars not showing up in settings dialog account actions until clicked on\n - Always discover blacklisted folders to avoid data loss when modifying selectivesync list.\n - Fix infinite loading in the share dialog when public link shares are disabled on the server\n - With cfapi when dehydrating files add missing flag\n - Fix text labels in Sync Status component\n - Display \u0027Search globally\u0027 as the last sharees list element\n - Fix display of 2FA notification.\n - Bugfix/do not restore virtual files\n - Show server name in tray main window\n - Add Ubuntu Lunar\n - Debian build classification \u0027beta\u0027 cannot override \u0027release\u0027.\n - Update changelog\n - Follow shouldNotify flag to hide notifications when needed\n - Bugfix/stop after creating config file\n - E2EE cut extra zeroes from derypted byte array.\n - When local sync folder is overriden, respect this choice\n - Feature/e2ee fixes\n\n- This also fix security issues:\n\n - (boo#1205798, CVE-2022-39331)\n - Arbitrary HyperText Markup Language injection in notifications \n - (boo#1205799, CVE-2022-39332)\n - Arbitrary HyperText Markup Language injection in user status and information \n - (boo#1205800, CVE-2022-39333)\n - Arbitrary HyperText Markup Language injection in desktop client application \n - (boo#1205801, CVE-2022-39334)\n - Client incorrectly trusts invalid TLS certificates \n - (boo#1207976, CVE-2023-23942)\n - missing sanitisation on qml labels leading to javascript injection \n\n- Update to 3.7.4\n\n - check German translation for wrong wording\n - Fix \u0027Create new folder\u0027 menu entries in settings not working correctly on macOS\n - Clean up account creation and deletion code\n - Fix share dialog infinite loading\n - fix edit locally job not finding the user account: wrong user id\n - skip e2e encrypted files with empty filename in metadata\n - Always discover blacklisted folders to avoid data loss when modifying selectivesync list.\n - use new connect syntax\n - with cfapi when dehydrating files add missing flag\n - Fix avatars not showing up in settings dialog account actions until clicked on\n - Fix text labels in Sync Status component\n - Fix infinite loading in the share dialog when public link shares are disabled on the server\n - Ci/clang tidy checks init variables\n - Display \u0027Search globally\u0027 as the last sharees list element\n - Resize WebView widget once the loginpage rendered\n - Bugfix/do not restore virtual files\n - Fix display of 2FA notification.\n\n- Update to 3.7.3\n\n - Revert \u0027Fix(l10n): capital_abcd Update translations from Transifex\u0027\n - Revert \u0027Fix(l10n): capital_abcd Update translations from Transifex\u0027\n - Revert \u0027Fix(l10n): capital_abcd Update translations from Transifex\u0027\n\n- Update to 3.7.2\n\n - No regular changelog from upstream.\n See instead: https://github.com/nextcloud/desktop/compare/v3.7.1...v3.7.2\n\n- Update to 3.7.1\n\n - Backport/5393/stable 3.7 by @mgallien in #5403\n - Fix wrong estimated time when doing sync. in #4902\n - Bugfix/selective sync abort error in #4903\n - Set UnifiedSearchResultNothingFound visibility less messily in #4751\n - Clean up QML type and singleton registration in #4817\n - Simplify activity list delegates by making them ItemDelegates, clean up in #4786\n - Improve activity list highlighting/keyboard item selection in #4781\n - Replace private API QZipWriter with KArchive in #4768\n - makes Qt WebEngine optional only on macOS in #4875\n - Bugfix/conflict resolution when selecting folder in #4914\n - Fix fileactivitylistmodel QML registration in #4920\n - Updated link to documentation in #4792\n - Fix menu bar height calculation on macOS in #4917\n - Fix ActivityItem activityHover error in #4921\n - Fix add account window text clipping, enlarge text in #4910\n - Accept valid lsColJob reply XML content types in #4919\n - Fix low-resolution file changed overlay icons in activities in #4930\n - Refactor ActivityListModel population mechanisms in #4736\n - Make account setup wizard\u0027s adjustWizardSize resize to current page size instead of largest wizard page in #4911\n - Deallocate call notification dialog objects when closed by @claucambra in #4939\n - Ensure that the file being processed has had its etag properly sanitised, log etag more in #4940\n - Feature/syncjournaldb handle errors in #4819\n - Do not format text in QML components as HTML in #4944\n - Fix two factor auth notification: activity item was disabled. in #4961\n - Add a placeholder item for empty activity list in #4959\n - Ensure strings in main window QML are presented as plain text and not HTML by @claucambra in #4972\n - Improve handling of file name clashes by @claucambra in #4970\n - Add a QSortFilterProxyModel-based SortedActivityListModel by @claucambra in #4933\n - Bring back .lnk files on Windows and always treat them as non-virtual files. by @allexzander in #4968\n - Fix two factor authentication notification by @camilasan in #4967\n - Ensure placeholder message in emoji picker wraps correctly in #4960\n - Make activity action button an actual button, clean up contents in #4784\n - Improve the error box QML component in #4976\n - Fix \u0027Reply\u0027 primary property. in #4985\n - Fix sync progress bar colours in dark mode in #4986\n - Fix predefined status text formatting in #4987\n - Don\u0027t set up tray context menu on macOS, even if not building app bundle in #4988\n - Ci/check clang tidy in ci in #4995\n - check our code with clang-tidy in #4999\n - alway use constexpr for all text constants in #4996\n - avoid possibly crashing static_cast in #4994\n - switch AppImage CI to latest tag: client-appimage-6 in #5003\n - configure a list of checks for clang-tidy in #5004\n - Fix link shares default expire date being enforced as maximum expire date even when maximum date enforcement is disabled on the server in #4982\n - apply modernize-use-using via clang-tidy in #4993\n - Ci/use no discard in #4992\n - Fix files not unlocking after lock time expired in #4962\n - Update client image in #5002\n - let\u0027s check the format via some github action in #4991\n - Feature/vfs windows sharing and lock state in #4942\n - Update after tx migrate in #5019\n - Improve \u0027Handle local file editing\u0027 feature. Add loading popup. Add force sync before opening a file. in #4990\n - Command-line client. Do not trust SSL certificates by default, unless \u0027--trust\u0027 option is set. in #5022\n - Bugfix/files lock fail metadata in #5024\n - do not ignore return value in #4998\n - improve logs when adding sync errors in activity list of main dialog in #5032\n - Fix invisible user status selector button not being checked when user is in Offline mode in #5012\n - use correct version copmparison on NSIS updater: fix update from rc in #4979\n - Bugfix/check token for edit locally requests in #5039\n - Fix the dismiss button: display it whenever possible. in #4989\n - Fix account not found when doing local file editing. in #5040\n - Improve \u0027pretty user name\u0027-related strings, display in webflow credentials in #5013\n - Update CHANGELOG with 3.6.1 changes. in #5066\n - Fix call notification dialog buttons in #5074\n - validate certificate for E2EE against private key in #4949\n - emit missing signal to update folder sync status icon in #5087\n - Update CMake usage in README build instructions in #5086\n - Clean up methods in sync engine in #5071\n - Make Systray\u0027s void methods slots in #5042\n - Remove unneeded parameter from CleanupPollsJob constructor in #5070\n - Add a \u0027Sync now\u0027 button to the sync status header in the tray window in #5018\n - Modernise and improve code in AccountManager in #5026\n - Fix macOS autoupdater settings in #5102\n - Validate and sanitise edit locally token and relpath before sending to server in #5093\n - Refactor FolderMan\u0027s \u0027Edit Locally\u0027 capabilities as separate class in #5107\n - Modernise and improve code in AccountSettings in #5027\n - Fix compatibility with newer python3-nautilus in #5105\n - Only show Sync Now button if account is connected in #5097\n - use new public API to open an edit locally URL in #5116\n - Add a new file details window, unify file activity and sharing in #4929\n - E2EE. Do not generate keypair without user request. in #5067\n - Fix incorrect current user index when adding or removing a user account. Also fix incorrect user avatar lookup by id. in #5092\n - Remove unused internal link widget from old share dialog in #5123\n - Use separate variable for cfg file name in CMAKE. in #5136\n - Bugfix/delete folders during propagation even when propagation has errors in #5104\n - Remove unused app pointer in CocoaInitializer in #5127\n - Ensure \u0027Sync now\u0027 button doesn\u0027t have its text elided in #5129\n - Fix share delegate button icon colors in dark mode in #5132\n - Do not use copy-assignment of QDialog. in #5148\n - Remove unused remotePath in User::processCompletedSyncItem in #5118\n - Make user status selector modal, show user header in #5145\n - properly escape a path when creating a test file during tests in #5151\n - Add support cmake unity build in #5109\n - Fix typo of connector in #5157\n - fully qualify types in signals and slots in #5088\n - Remove reference to inexistent property in NCCustomButton in #5173\n - Fix ActivityList delegate warnings in #5172\n - Ensure forcing a folder to be synced unpauses syncing on said folder in #5152\n - switch back to upstream craft in #5178\n - fix renaming of folders with a deep hierarchy inside them in #5182\n - fix instances of: c++11 range-loop might detach Qt container warnings in #5089\n - Implement context menu entry \u0027Leave this share\u0027 in #5081\n - check that we update local file mtime on changes from server in #5188\n - Add end-to-end tests to our CI in #5124\n - Modernize the Dolphin action plugin in #5192\n - Ci/do not modify configuration file duringtests in #5200\n - cmake: Use FindPkgConfig\u0027s pkg_get_variable instead of custom macro in #5199\n - Fix tray window margins, stop cutting into window border in #5202\n - fix regressions on pinState management when doing renames in #520\n - Fix bad custom button alignments, sizings, etc. in #5189\n - Ci/do not override configuration file in #5206\n - Clearly tell user that E2EE has been enabled for an account in #5164\n - Fix CfApiShellExtensionsIPCTest in #5209\n - l10n: Fixed grammar in #5220\n - Prevent bad encrypting of folder if E2EE has not been correctly set up in #5223\n - Remove close/dismiss button from encryption message in #5163\n - Update macOS shell integration deployment targets in #5227\n - Bugfix/case cash conflicts should not terminate sync in #5224\n - Differentiate between E2EE not being enabled at all vs. E2EE being enabled already through another device in account settings message in #5179\n - Ensure more QML text components are rendering things as plain text in #5231\n - l10n: Correct spelling in #5221\n - Make use of plain text-enforcing qml labels in #5233\n - Feature/edit file locally restart sync in #5175\n - Fix CI errors for Edit Locally. in #5241\n - Lock file when editing locally in #5226\n - Format some QLabels as plain text in #5247\n - do not create GUI from a random thread and show error on real error in #5253\n - Fix BasicComboBox internal layout in #5216\n - Explicitly size and align user status selector text input to avoid bugs with alternate QtQuick styles in #5214\n - do not use bulk upload for e2ee files in #5256\n - Only show mnemonic request dialog when user explicitly wants to enable E2EE in #5181\n - Replace share settings popup with a page on a StackView in #5194\n - Add interactive NC Talk notifications on macOS in #5143\n - Show file details within the tray dialog, rather than in a separate dialog in #5139\n - Silence sync termination errors when running EditLocallyJob. in #5261\n - Fix typo in #5257\n - Add an \u0027Encrypt\u0027 menu entry in file browser context menu for folders in #5263\n - Add a nix flake for easy building and dev environments in #5007\n - Add an internal link share to the share dialog in #5131\n - Avoid the Get-Task-Allow Entitlement (macOS Notarization) in #5274\n - sets a fixed version for pixman when buildign desktop client via Craft in #5269\n - Fix SyncEngineTest failure when localstate is destroyed. in #5273\n - Feature/remove obsolete names in #5271\n - Remove unused HeaderBanner component in #5245\n - Feature/do not sync enc folders if e2ee is not setup in #5258\n - fix migration from old settings configuration files in #5141\n - Use QFileInfo::exists where we are only creating a QFileInfo to check if file exists in #5291\n - Make correct use of Qt signal \u0027emit\u0027 keyword in #5287\n - Remove unused variables in #5290\n - Declare all QRegularExpressions statically in #5289\n - l10n: Remove space in #5297\n - Feature/move shellextensions to root installdir in #5295\n - Improve backup dark mode palette for Windows in #5298\n - Allow setting up an account with apppasword and folder via command-line arguments. For deployment. in #5296\n - Update file\u0027s metadata in the local database when the etag changes while file remains unchanged. \n Fix subsequent conflict when locking and unlocking. in #5293\n - Fix warnings on QPROPERTY-s in #5286\n - Replace now deprecated FSEventStreamScheduleWithRunLoop with FSEventStreamSetDispatchQueue in #5272\n - Fix macOS shell integration class inits in #5299\n - Drop dependency on Qt Quick Controls 1 in #5309\n - Fix full-text search results not being opened in browser in #5279\n - Feature/allow forceoverrideurl via command line in #5329\n - Bugfix/e2ee vulnerability empty metadatakeys in #5323\n - Always generate random initialization vector when uploading encrypted file in #5324\n - Fix bad string for translation. in #5358\n - Update legal notice to 2023 in #5361\n - Fix migration from legacy client when override server url is set in #5322\n - Don\u0027t try to lock folders when editing locally in #5317\n - Fix fetch more unified search result item not being clickable in #5266\n - Add ability to disable E2EE in #5167\n - Remove unused monochrome icons setting in #5366\n - Feature/sync with case clash names in #5232\n - Edit locally. Do not lock if locking is disabled on the server. in #5371\n - Revert \u0027Merge pull request #5366 from nextcloud/bugfix/remove-mono-icons-setting\u0027 in #5372\n - Open calendar notifications in the browser. in #4684\n - Migrate old configs in #5362\n - Always unlock E2EE folders, even when network failure or crash. in #5370\n - Fix displaying of file details button for local syncfileitem activities in #5380\n - Improve config upgrade warning dialog in #5386\n - Backport/5385/stable 3.7 in #5388\n\n- Update to 3.6.6\n\n - Revert \u0027Fix(l10n): capital_abcd Update translations from Transifex\u0027 33f3975\n\n\n- Update to 3.6.5\n\n - do not assert when sharing to a circle in #5310\n - Fix macOS shell integration class inits in #5311\n - Drop dependency on Qt Quick Controls 1 in #5312\n - Feature/allow forceoverrideurl via command line in #5332\n - Fix typo in #5270\n - check that we update local file mtime on changes from server in #5321\n - fix regressions on pinState management when doing renames in #5333\n - Always generate random initialization vector when uploading encrypted file in #5334\n - Fix SyncEngineTest failure when localstate is destroyed. in #5336\n - Bugfix/e2ee vulnerability empty metadatakeys in #5335\n\n- Update to 3.6.4\n\n - do not create GUI from a random thread and show error on real error\n\n- Update to 3.6.3\n\n - Fix typo of connector\n - fix renaming of folders with a deep hierarchy inside them\n - Make user status selector modal, show user header\n - Prevent bad encrypting of folder if E2EE has not been correctly set up\n - Feature/edit file locally restart sync\n - Add forcefoldersync method to folder manager\n - Make use of plain text-enforcing qml labels\n - Lock file when editing locally\n - Format some QLabels as plain text\n\n- Update to 3.6.2\n\n - Fix call notification dialog buttons by @backportbot-nextcloud in #5075\n - emit missing signal to update folder sync status icon by @backportbot-nextcloud in #5090\n - Fix macOS autoupdater settings by @backportbot-nextcloud in #5103\n - Validate and sanitise edit locally token and relpath\n before sending to server by @backportbot-nextcloud in #5106\n - Fix compatibility with newer python3-nautilus by @backportbot-nextcloud in #5112\n - Refactor FolderMan\u0027s \u0027Edit Locally\u0027 capabilities\n as separate class by @backportbot-nextcloud in #5111\n - use new public API to open an edit locally URL by @backportbot-nextcloud in #5117\n - Use separate variable for cfg file name in CMAKE. by @backportbot-nextcloud in #5140\n - Fix stable-3.6 compile on macOS by @claucambra in #5154\n - Fix bad backport of CustomButton changes in Stable-3.6 by @claucambra in #5155\n - Backport/5067/stable 3.6 by @allexzander in #5153\n - Backport/5092/stable 3.6 by @allexzander in #5156\n - properly escape a path when creating a test file during tests by @backportbot-nextcloud in #5158\n\n- Split out the dbus service related files that provides\n libcloudproviders integration for nextcloud desktop client into\n a separate package; when this is installed, launching any\n app supporting libowncloudproviders (e.g. nautilus on GNOME)\n will automatically launch the desktop client -- which is rather\n annoying to happen by default, esp. in cases where a user does\n not even have a nextcloud account (gh#nextcloud/desktop#1982,\n gh#nextcloud/desktop#2622).\n\n- Make the extension working again on Nautilus 43.\n This patch also support previous Nautilus versions.\n\n- Update to 3.6.1\n\n - Fix wrong estimated time when doing sync.\n - Bugfix/selective sync abort error\n - Bugfix/conflict resolution when selecting folder\n - Fix menu bar height calculation on macOS\n - Fix add account window text clipping, enlarge text\n - Accept valid lsColJob reply XML content types\n - Fix low-resolution file changed overlay icons in activities\n - Deallocate call notification dialog objects when closed\n - Ensure that the file being processed has had its etag properly sanitised, log etag more\n - Ensure strings in main window QML are presented as plain text and not HTML\n - Do not format text in QML components as HTML\n - Fix two factor authentication notification\n - Bring back .lnk files on Windows and always treat them as non-virtual files.\n - Fix \u0027Reply\u0027 primary property.\n - Update after tx migrate\n - Command-line client. Do not trust SSL certificates by default,\n unless \u0027--trust\u0027 option is set.\n - Fix invisible user status selector button not being checked when user is in Offline mode\n - Fix link shares default expire date being enforced as maximum expire date\n even when maximum date enforcement is disabled on the server\n - Backport/4989/stable 3.6\n - use correct version copmparison on NSIS updater: fix update from rc\n - Improve \u0027Handle local file editing\u0027 feature. Add loading popup. Add f\u2026\n - Backport/5039/bugfix/check token for edit locally requests\n - Fix account not found when doing local file editing.\n - Fix two factor auth notification: activity item was disabled.\n - Fix predefined status text formatting\n - Fix sync progress bar colours in dark mode\n - Improve handling of file name clashes\n - Ensure placeholder message in emoji picker wraps correctly\n\n- Update to 3.6.0\n - Fix crash in cldapi.dll\n - Updating command-rebase.yml workflow from template\n - Reply button size should be same as the input field, smaller + text color\n - Fix crashing when selecting user status and predefined statuses not appearing\n - Make user status dialog look in line with the rest of the desktop client tray and Nextcloud\n - Add a placeholder message for the recents tab of the emoji picker\n - Add SVG icon styled for macOS Big Sur\n - Ensure the dispatch source only gets deallocated after the dispatch_source_cancel is done,\n avoiding crashing of the Finder Sync Extension on macOS\n - Properly adapt the UserStatusSelectorModel to QML, eliminate hacks, make code more declarative\n - Fix the system tray menu not being correctly replaced in setupContextMenu on GNOME\n - Make the share dialog resizeable\n - Make client language gender-neutral and more clear\n - Use an en-dash for the userstatus panel\n - Close call notifications when the call has been joined by the user, or the call has ended\n - Correct spelling\n - Print sync direction in SyncFileStatusTracker::slotAboutToPropagate\n - Windows CI. Use specific Craft revision.\n - Add \u0027db/local/remote\u0027 reference to log string.\n - Work around issues with window positioning on Linux DEs,\n hardcode tray window to screen center when new account added\n - Add a custom back button to the account wizard\u0027s advanced setup page\n - Clean up systray methods, make more QML-friendly\n - Refactor tray window opening code for clarity and efficiency\n - Increase the call state checking interval to not overload the server\n - Fix bad quote in CMakeLists PNG generation message\n - Only set _FORTIFY_SOURCE when a higher level of this flag has not been set\n - Switch to using the main client CI image based on ubuntu 22.04\n - Limit concurrent notifications\n - Use macOS-specific application icon\n - QML-ify the UserModel, use properties rather than setter methods\n - Take ints by value rather than reference in UserModel methods\n - Feature/vfs windows thumbnails\n - Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS\n - Restyle unified search skeleton items animation and simplify their code\n - Stop styling QML unified search items hierarchically, use global Style constants\n - Use preprocessor directive rather than normal \u0027if\u0027 for UNNotification types\n - Make apps menu scrollable when content taller than available vertical space,\n preventing borking of layout\n - Ensure that throttled notifications still appear in tray activity model\n - Stop clearing notifications when new notifications are received\n - Fix ActivityItemContent QML paintedWidth errors\n - Clicking on an activity list item for a file opens the local file if available\n - Replace unified search text field busy indicator with custom indicator\n - Update macOS Info.plist\n - Ensure debug archive contents are readable by any user\n - Remove Ubuntu Impish, add Kinetic\n - Make UserStatusSelector a dismissible page pushed onto the tray window\n - Feature/handle edit locally\n - Add Debian Bullseye build\n - Double-clicking tray icon opens currently-selected user\u0027s local folder (if available)\n - Clean up TalkReplyTextField, remove unnecessary parent Item\n - Refactor user line\n - Do not reboot PC when running an MSI via autoupdate.\n - Always run MSI with full UI.\n - Eliminate padding around the menu separator in the account menu\n - Feature/enable more warnings also for gcc\n - Move CFAPI shell extensions variables to root CMakeLists.\n - Move URI scheme variable from Nextcloud.cmake to root CMakeListsts.\n - Ensure SyncEngine use an initialized instance of SyncOptions\n - Fix QML warnings\n - I18n: Spelling unification\n - Fix crash: \u0027Failed to create OpenGL context\u0027.\n - Fix bugs with setting \u0027Away\u0027 user status\n - Fix greek translation for application name in menu\n - Align, resize, and layout everything uniformly in the unified search view\n - Remove libglib-2.0.so.0 and libgobject-2.0.so.0 from Appimage.\n - Fix unified search item placeholder image source\n - Use same tooltip component everywhere, fix tooltip clipping bugs\n - Fix account switching and hover issues with UserLine component\n - Remove Ubuntu Focal\n - Add a ScrollView to the predefined statuses area of the UserStatusSelector\n - Prevent the \u0027Cancel\u0027 button of the user status selector getting squashed\n - Ensure that clear status message combo box is at least implicit width\n - Fix alignment of predefined status contents regardless of emoji fonts\n - Prevent crashing when trying to create error-ing QML component in systray.cpp, output error to log\n - Add CHANGELOG.md.\n - Ensure file activity dialog is centered on screen and appears at top of window stack\n - Build script for AppImage should not assume Nextcloud is the name\n - Fix File Activities dialog not showing up.\n - Reads and store fileId and remote permissions during bulk upload\n - Do not build qt keychain already included in the CI images\n - Bugfix/web engine on win11\n - Update CHANGELOG for the 3.6.0 release.\n - Fix script that upload AppImage to go in correct path\n\n- Update to 3.5.4\n\n - Add and use DO_NOT_REBOOT_IN_SILENT=1 parameter for MSI to not reboot during the auto-update.\n\n- Update to 3.5.3\n - Fix the system tray menu not being correctly replaced in setupContextMenu on GNOME\n - Ensure call notification stays on top of other windows\n - Work around issues with window positioning on Linux DEs,\n hardcode tray window to screen center when new account added\n - Clean up systray methods, make more QML-friendly\n - Refactor tray window opening code for clarity and efficiency\n - Only set _FORTIFY_SOURCE when a higher level of this flag has not been set\n - Limit concurrent notifications\n - Take ints by value rather than reference in UserModel methods\n - Respect skipAutoUpdateCheck in nextcloud.cfg with Sparkle on macOS\n - Use preprocessor directive rather than normal \u0027if\u0027 for UNNotification types\n - QML-ify the UserModel, use properties rather than setter methods\n - Fix ActivityItemContent QML paintedWidth errors\n - Stop clearing notifications when new notifications are received\n - Ensure debug archive contents are readable by any user\n - Stop styling QML unified search items hierarchically, use global Style constants\n - Update macOS Info.plist\n - print sync direction in SyncFileStatusTracker::slotAboutToPropagate\n - Remove Ubuntu Impish, add Kinetic\n - Ensure that throttled notifications still appear in tray activity model\n - Make apps menu scrollable when content taller than available vertical space,\n preventing borking of layout\n\n- Update to 3.5.2\n\n - Explicitly ask user for notification authorisation on launch (macOS)\n - Fix crash caused by overflow in FinderSyncExtension\n - add new fixup workflow from nextcloud org\n - Display chat message inside the OS notification.\n - Fix \u0027TypeError: Cannot readproperty \u0027messageSent\u0027 of undefined\u0027.\n - Add a transparent background to the send reply button.\n - Fix build on macOS versions pre-11 (down to 10.14)\n - Ignore Office temp folders on Mac (\u0027.sb-\u0027 in folder name).\n - Remove assert, it is no longer useful.\n - Add contrast to the text/icon of buttons if the server defined color is light.\n - fix general section\n - Remove tooltip because it is only repeating the label of the link.\n - bugfix/share-dialog\n - Updating command-rebase.yml workflow from template\n - Reply button size should be same as the input field, smaller + text color\n - Close call notifications when the call has been joined by the user, or the call has ended\n - Increase the call state checking interval to not overload the server\n - Ensure the dispatch source only gets deallocated after\n the dispatch_source_cancel is done, avoiding crashing of the Finder Sync Extension on macOS\n\n * A more future-proof and distribution friendly fix for boo#1201070\n\n- Fix Tumbleweed build and install error boo#1201070.\n Use own CFLAGS for Tumblweed with -D_FORTIFY_SOURCE=2 instead of -D_FORTIFY_SOURCE=3.\n\n- Update to 3.5.1\n - Add new and correct sparkle update signature\n - l10n: Remove string from translation\n - l10n: Changed triple dot to ellipsis\n - Ensure cache is stored in default cache location\n - Updating command-rebase.yml workflow from template\n - Remove \u0027\u2026\u0027 from \u0027Create Debug Archive\u0027 button\n - docs: Replace \u0027preceded\u0027 with \u0027followed\u0027\n - only add OCS-APIREQUEST header for 1st request of webflow v1\n - Make the make_universal.py script more verbose for easier debugging\n - Revamp notifications for macOS and add support for actionable update notifications\n - Use proper online status for user (\u0027dnd\u0027, \u0027online\u0027, \u0027invisible\u0027, etc.) to enable or disable desktop notifications.\n - Bugfix. Take root folder\u0027s files size into account when displaying the total size in selective sync dialog.\n - Fix activity list item issues with colours/layout/etc.\n - Bugfix/allow manual rename files with spaces\n - Fixed share link expiration box being ineditable and always attempting to set invalid date\n - Fix crashing of finder sync extension caused by dispatch_source_cancel of nullptr\n - Simplify and remove the notification \u0027cache\u0027\n - Fix tray icon not displaying \u0027Open main dialog\u0027\n - if an exclude file is deleted, skip it and remove it from internal list\n - Bugfix/two factor notification\n - Fix visual borking in the share dialog\n - add explicit capture for lambda\n\n- Update to 3.5.0\n - Require cmake 3.16\n - Add testing for ActivityListModel\n - Check for dbus-1 when building with cloudproviders\n - Add ability to copy internal link from share dialog\n - Feature/improve activity buttons\n - Add thumbnails for files in the activity view\n - Use proper API to dehydrate a placeholder file\n - Feature/Talk Reply v1\n - Ensure we emit a rename command for renamed files\n - Remove Hirsute, add Jammy\n - Allow account menu to scroll when content height is larger than menu height\n - Always build with updater. Use \u0027beta/stable\u0027 channel selector in \u0027General Settins\u0027 dialog with default \u0027stable\u0027.\n - Cmake option to disable proxy\n - Add support for server color theming\n - No longer assume status bar height, calculate, fixing notch borking on new MacBook Pro\n - Add a dark mode\n - Generates pot files automatically.\n - Add headers in cmake files to get them properly detected\n - Ensure that bulk upload network job errors are handled\n - Do not remove a folder that has files that were not uploaded yet during propagation\n - L10n: Change to lowercase\n - Simplify currentScreen in systray.cpp\n - Fix warn colour in dark mode\n - Do not remove files from a Group folder and its nested folders when it is renamed or removed while not allowed.\n - Rollback local move on server move failure\n - Implement local socket to communicate with finder extension\n - Bugfix/prevent overflow with mtime\n - L10n: Changed spelling\n - Add \u0027Help\u0027 action back.\n - Ensure file activity dialog appears in centre of screen\n - Increase maximum text line count in tray activity items to two lines\n - Fix file activity dialog\n - Properly ask Qt to create qml opengl surface with proper options\n - Old submodule url does not work anylonger\n - Old submodule url does not work anylonger\n - Prepare for 3.5.0-rc1\n - Fix icon color and highlight color issues\n - Fix for VFS crashes due to mimetype checking for thumbnails\n - Fix various dark mode bugs\n - Add a new yml github issue template for bug reports.\n - Ensure we only store update channel not localized in settings\n - Improve talk reply\n - Prepare for 3.5.0-rc2\n - Bugfix/talk reply part 2\n - Darkmode. Fix crash on exit.\n - Avoid deleting renamed file with spaces in name\n - More dark mode fixes\n - Ensure we do properly failed hydration jobs\n - Fix build of appimage for branded clients\n - Prepare for 3.5.0-rc3\n - Feature/files lock\n - Add call notification dialog.\n - Fix thumbnails for new files made while client open\n - Increase time between connection tries\n - Improve contrast on server color themed elements\n - Fix positioning of activities in the activities list\n - Bugfix/activities fetch server overload\n - Realigned and resized thumbnails\n - Add user avatars in talk notifications in activity list\n - Fix sparkle implementation in the desktop client\n - Prepare 3.5.0-rc4\n - Prepare final 3.5.0 release\n\n- Update to 3.4.4\n - Do not remove files from a Group\n folder and its nested folders when it is renamed or removed\n while not allowed.\n - Bugfix/prevent overflow with mtime\n - Old submodule url does not work anylonger\n\n- Update to 3.4.3\n - Remove Hirsute, add Jammy\n - Cmake option to disable proxy\n - ensure we emit a rename command for renamed files\n - Makes sure that sync engine terminates when an error happen\n - ensure that bulk upload network job errors are handled\n - Rollback local move on server move failure\n - Do not remove a folder that has files that were not uploaded yet during propagation\n\n- Update to 3.4.2\n - Bugfix/force re-login on SSL Handshake error\n - Do not display \u0027Conflict when uploading some files to a folder\n - Windows. MSI. Unregister Nextcloud folders in SyncRootManager on uninstall.\n - Unbreak loading translations\n - Hide share button for deleted files and ignored files in tray activity\n - Display error message when creating a link share with compromised password.\n - Bugfix. Re-init sharing manager to enable link sharing UI when receivng sharing permissions.\n - Show only filenames in tray activity items, with full path in tooltip\n - use proper API to dehydrate a placeholder file\n - Add macOS *.textClipping files to ignore list\n\n- Updatete to 3.4.1\n - fix random error when updating CfApi metadata\n - do not forget the path when renaming files with invalid names\n - Bugfix/assert invalid modtime\n - Feature/folder logo variations\n - Always prefill username from Windows login name based on server version\n - Bugfix/3.4.1 rc1\n - Bugfix/sync stuck on error\n - Bugfix/force download local invalid files\n - Enforce VFS. Disable \u0027Make always available locally\u0027.\n - Bugfix/avoid sync getting stuck\n - Fix CMake error in ECMAddAppIcon for mac\n - Do not crash on findAndCancelDeletedJob\n - ensure any errors after calling FileSystem::getModTime are handled\n\n- Skiped version 3.4.0 because of modtime bug:\n See: https://github.com/nextcloud/desktop/pull/4049\n Please read the following wiki page How to fix files invalid modification date:\n https://github.com/nextcloud/desktop/wiki/Fix-bug-invalid-modification-date\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-90",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0090-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0090-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IHDC7NYZMDNIUM6KMGVNGTIO5AKPD4O7/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0090-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IHDC7NYZMDNIUM6KMGVNGTIO5AKPD4O7/"
},
{
"category": "self",
"summary": "SUSE Bug 1201070",
"url": "https://bugzilla.suse.com/1201070"
},
{
"category": "self",
"summary": "SUSE Bug 1205798",
"url": "https://bugzilla.suse.com/1205798"
},
{
"category": "self",
"summary": "SUSE Bug 1205799",
"url": "https://bugzilla.suse.com/1205799"
},
{
"category": "self",
"summary": "SUSE Bug 1205800",
"url": "https://bugzilla.suse.com/1205800"
},
{
"category": "self",
"summary": "SUSE Bug 1205801",
"url": "https://bugzilla.suse.com/1205801"
},
{
"category": "self",
"summary": "SUSE Bug 1207976",
"url": "https://bugzilla.suse.com/1207976"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39331 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39331/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39332 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39332/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39333 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39333/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39334 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39334/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-23942 page",
"url": "https://www.suse.com/security/cve/CVE-2023-23942/"
}
],
"title": "Security update for nextcloud-desktop",
"tracking": {
"current_release_date": "2023-04-12T10:56:37Z",
"generator": {
"date": "2023-04-12T10:56:37Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0090-1",
"initial_release_date": "2023-04-12T10:56:37Z",
"revision_history": [
{
"date": "2023-04-12T10:56:37Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"product": {
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"product_id": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"product": {
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"product_id": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"product": {
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"product_id": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"product": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"product_id": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product": {
"name": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product_id": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product": {
"name": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product_id": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product": {
"name": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product_id": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product": {
"name": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"product_id": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"product": {
"name": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"product_id": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"product": {
"name": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"product_id": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"product": {
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"product_id": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"product": {
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"product_id": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"product": {
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"product_id": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"product": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"product_id": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP4",
"product": {
"name": "SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.4",
"product": {
"name": "openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch as component of SUSE Package Hub 15 SP4",
"product_id": "SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch as component of openSUSE Leap 15.4",
"product_id": "openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-39331",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39331"
}
],
"notes": [
{
"category": "general",
"text": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39331",
"url": "https://www.suse.com/security/cve/CVE-2022-39331"
},
{
"category": "external",
"summary": "SUSE Bug 1205798 for CVE-2022-39331",
"url": "https://bugzilla.suse.com/1205798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-12T10:56:37Z",
"details": "moderate"
}
],
"title": "CVE-2022-39331"
},
{
"cve": "CVE-2022-39332",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39332"
}
],
"notes": [
{
"category": "general",
"text": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39332",
"url": "https://www.suse.com/security/cve/CVE-2022-39332"
},
{
"category": "external",
"summary": "SUSE Bug 1205799 for CVE-2022-39332",
"url": "https://bugzilla.suse.com/1205799"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-12T10:56:37Z",
"details": "moderate"
}
],
"title": "CVE-2022-39332"
},
{
"cve": "CVE-2022-39333",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39333"
}
],
"notes": [
{
"category": "general",
"text": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39333",
"url": "https://www.suse.com/security/cve/CVE-2022-39333"
},
{
"category": "external",
"summary": "SUSE Bug 1205800 for CVE-2022-39333",
"url": "https://bugzilla.suse.com/1205800"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-12T10:56:37Z",
"details": "moderate"
}
],
"title": "CVE-2022-39333"
},
{
"cve": "CVE-2022-39334",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39334"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39334",
"url": "https://www.suse.com/security/cve/CVE-2022-39334"
},
{
"category": "external",
"summary": "SUSE Bug 1205801 for CVE-2022-39334",
"url": "https://bugzilla.suse.com/1205801"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-12T10:56:37Z",
"details": "low"
}
],
"title": "CVE-2022-39334"
},
{
"cve": "CVE-2023-23942",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-23942"
}
],
"notes": [
{
"category": "general",
"text": "The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-23942",
"url": "https://www.suse.com/security/cve/CVE-2023-23942"
},
{
"category": "external",
"summary": "SUSE Bug 1207976 for CVE-2023-23942",
"url": "https://bugzilla.suse.com/1207976"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"SUSE Package Hub 15 SP4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:caja-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:cloudproviders-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync-devel-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:libnextcloudsync0-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nautilus-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nemo-extension-nextcloud-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-doc-3.8.0-bp154.2.3.1.noarch",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.aarch64",
"openSUSE Leap 15.4:nextcloud-desktop-dolphin-3.8.0-bp154.2.3.1.x86_64",
"openSUSE Leap 15.4:nextcloud-desktop-lang-3.8.0-bp154.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-04-12T10:56:37Z",
"details": "moderate"
}
],
"title": "CVE-2023-23942"
}
]
}
OPENSUSE-SU-2023:0171-1
Vulnerability from csaf_opensuse - Published: 2023-07-10 11:03 - Updated: 2023-07-10 11:03Summary
Security update for nextcloud-desktop
Notes
Title of the patch
Security update for nextcloud-desktop
Description of the patch
This update for nextcloud-desktop fixes the following issues:
Update ot 3.8.0
- Resize WebView widget once the loginpage rendered
- Feature/secure file drop
- Check German translation for wrong wording
- L10n: Correct word
- Fix displaying of file details button for local syncfileitem activities
- Improve config upgrade warning dialog
- Only accept folder setup page if overrideLocalDir is set
- Update CHANGELOG.
- Prevent ShareModel crash from accessing bad pointers
- Bugfix/init value for pointers
- Log to stdout when built in Debug config
- Clean up account creation and deletion code
- L10n: Added dot to end of sentence
- L10n: Fixed grammar
- Fix 'Create new folder' menu entries in settings not working correctly on macOS
- Ci/clang tidy checks init variables
- Fix share dialog infinite loading
- Fix edit locally job not finding the user account: wrong user id
- Skip e2e encrypted files with empty filename in metadata
- Use new connect syntax
- Fix avatars not showing up in settings dialog account actions until clicked on
- Always discover blacklisted folders to avoid data loss when modifying selectivesync list.
- Fix infinite loading in the share dialog when public link shares are disabled on the server
- With cfapi when dehydrating files add missing flag
- Fix text labels in Sync Status component
- Display 'Search globally' as the last sharees list element
- Fix display of 2FA notification.
- Bugfix/do not restore virtual files
- Show server name in tray main window
- Add Ubuntu Lunar
- Debian build classification 'beta' cannot override 'release'.
- Update changelog
- Follow shouldNotify flag to hide notifications when needed
- Bugfix/stop after creating config file
- E2EE cut extra zeroes from derypted byte array.
- When local sync folder is overriden, respect this choice
- Feature/e2ee fixes
- This update also fixes security issues:
- (boo#1205798, CVE-2022-39331)
- Arbitrary HyperText Markup Language injection in notifications
- (boo#1205799, CVE-2022-39332)
- Arbitrary HyperText Markup Language injection in user status and information
- (boo#1205800, CVE-2022-39333)
- Arbitrary HyperText Markup Language injection in desktop client application
- (boo#1205801, CVE-2022-39334)
- Client incorrectly trusts invalid TLS certificates
- (boo#1207976, CVE-2023-23942)
- missing sanitisation on qml labels leading to javascript injection
Patchnames
openSUSE-2023-171
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nextcloud-desktop",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nextcloud-desktop fixes the following issues:\n\nUpdate ot 3.8.0\n\n - Resize WebView widget once the loginpage rendered\n - Feature/secure file drop\n - Check German translation for wrong wording\n - L10n: Correct word\n - Fix displaying of file details button for local syncfileitem activities\n - Improve config upgrade warning dialog\n - Only accept folder setup page if overrideLocalDir is set\n - Update CHANGELOG.\n - Prevent ShareModel crash from accessing bad pointers\n - Bugfix/init value for pointers\n - Log to stdout when built in Debug config\n - Clean up account creation and deletion code\n - L10n: Added dot to end of sentence\n - L10n: Fixed grammar\n - Fix \u0027Create new folder\u0027 menu entries in settings not working correctly on macOS\n - Ci/clang tidy checks init variables\n - Fix share dialog infinite loading\n - Fix edit locally job not finding the user account: wrong user id\n - Skip e2e encrypted files with empty filename in metadata\n - Use new connect syntax\n - Fix avatars not showing up in settings dialog account actions until clicked on\n - Always discover blacklisted folders to avoid data loss when modifying selectivesync list.\n - Fix infinite loading in the share dialog when public link shares are disabled on the server\n - With cfapi when dehydrating files add missing flag\n - Fix text labels in Sync Status component\n - Display \u0027Search globally\u0027 as the last sharees list element\n - Fix display of 2FA notification.\n - Bugfix/do not restore virtual files\n - Show server name in tray main window\n - Add Ubuntu Lunar\n - Debian build classification \u0027beta\u0027 cannot override \u0027release\u0027.\n - Update changelog\n - Follow shouldNotify flag to hide notifications when needed\n - Bugfix/stop after creating config file\n - E2EE cut extra zeroes from derypted byte array.\n - When local sync folder is overriden, respect this choice\n - Feature/e2ee fixes\n\n- This update also fixes security issues:\n\n - (boo#1205798, CVE-2022-39331)\n - Arbitrary HyperText Markup Language injection in notifications \n - (boo#1205799, CVE-2022-39332)\n - Arbitrary HyperText Markup Language injection in user status and information \n - (boo#1205800, CVE-2022-39333)\n - Arbitrary HyperText Markup Language injection in desktop client application \n - (boo#1205801, CVE-2022-39334)\n - Client incorrectly trusts invalid TLS certificates \n - (boo#1207976, CVE-2023-23942)\n - missing sanitisation on qml labels leading to javascript injection \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2023-171",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0171-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2023:0171-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2023:0171-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MYOV4BMU2LQGVZ5NTYTI7BA3XMRNOCDF/"
},
{
"category": "self",
"summary": "SUSE Bug 1205798",
"url": "https://bugzilla.suse.com/1205798"
},
{
"category": "self",
"summary": "SUSE Bug 1205799",
"url": "https://bugzilla.suse.com/1205799"
},
{
"category": "self",
"summary": "SUSE Bug 1205800",
"url": "https://bugzilla.suse.com/1205800"
},
{
"category": "self",
"summary": "SUSE Bug 1205801",
"url": "https://bugzilla.suse.com/1205801"
},
{
"category": "self",
"summary": "SUSE Bug 1207976",
"url": "https://bugzilla.suse.com/1207976"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39331 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39331/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39332 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39332/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39333 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39333/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-39334 page",
"url": "https://www.suse.com/security/cve/CVE-2022-39334/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-23942 page",
"url": "https://www.suse.com/security/cve/CVE-2023-23942/"
}
],
"title": "Security update for nextcloud-desktop",
"tracking": {
"current_release_date": "2023-07-10T11:03:58Z",
"generator": {
"date": "2023-07-10T11:03:58Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2023:0171-1",
"initial_release_date": "2023-07-10T11:03:58Z",
"revision_history": [
{
"date": "2023-07-10T11:03:58Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"product": {
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"product_id": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"product": {
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"product_id": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"product": {
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"product_id": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"product": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"product_id": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product": {
"name": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product_id": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product": {
"name": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product_id": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product": {
"name": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product_id": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product": {
"name": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"product_id": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"product": {
"name": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"product_id": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"product": {
"name": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"product_id": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"product": {
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"product_id": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"product": {
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"product_id": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"product": {
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"product_id": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"product": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"product_id": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP5",
"product": {
"name": "SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64 as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch as component of SUSE Package Hub 15 SP5",
"product_id": "SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64 as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64"
},
"product_reference": "nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
},
"product_reference": "nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-39331",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39331"
}
],
"notes": [
{
"category": "general",
"text": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39331",
"url": "https://www.suse.com/security/cve/CVE-2022-39331"
},
{
"category": "external",
"summary": "SUSE Bug 1205798 for CVE-2022-39331",
"url": "https://bugzilla.suse.com/1205798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-07-10T11:03:58Z",
"details": "moderate"
}
],
"title": "CVE-2022-39331"
},
{
"cve": "CVE-2022-39332",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39332"
}
],
"notes": [
{
"category": "general",
"text": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39332",
"url": "https://www.suse.com/security/cve/CVE-2022-39332"
},
{
"category": "external",
"summary": "SUSE Bug 1205799 for CVE-2022-39332",
"url": "https://bugzilla.suse.com/1205799"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-07-10T11:03:58Z",
"details": "moderate"
}
],
"title": "CVE-2022-39332"
},
{
"cve": "CVE-2022-39333",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39333"
}
],
"notes": [
{
"category": "general",
"text": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39333",
"url": "https://www.suse.com/security/cve/CVE-2022-39333"
},
{
"category": "external",
"summary": "SUSE Bug 1205800 for CVE-2022-39333",
"url": "https://bugzilla.suse.com/1205800"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-07-10T11:03:58Z",
"details": "moderate"
}
],
"title": "CVE-2022-39333"
},
{
"cve": "CVE-2022-39334",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-39334"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-39334",
"url": "https://www.suse.com/security/cve/CVE-2022-39334"
},
{
"category": "external",
"summary": "SUSE Bug 1205801 for CVE-2022-39334",
"url": "https://bugzilla.suse.com/1205801"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.9,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-07-10T11:03:58Z",
"details": "low"
}
],
"title": "CVE-2022-39334"
},
{
"cve": "CVE-2023-23942",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-23942"
}
],
"notes": [
{
"category": "general",
"text": "The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-23942",
"url": "https://www.suse.com/security/cve/CVE-2023-23942"
},
{
"category": "external",
"summary": "SUSE Bug 1207976 for CVE-2023-23942",
"url": "https://bugzilla.suse.com/1207976"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 15 SP5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"SUSE Package Hub 15 SP5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:caja-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:cloudproviders-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync-devel-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:libnextcloudsync0-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nautilus-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nemo-extension-nextcloud-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-doc-3.8.0-bp155.2.3.1.noarch",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.aarch64",
"openSUSE Leap 15.5:nextcloud-desktop-dolphin-3.8.0-bp155.2.3.1.x86_64",
"openSUSE Leap 15.5:nextcloud-desktop-lang-3.8.0-bp155.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2023-07-10T11:03:58Z",
"details": "moderate"
}
],
"title": "CVE-2023-23942"
}
]
}
CERTFR-2022-AVI-1057
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Nextcloud. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Nextcloud Talk Android versions ant\u00e9rieures \u00e0 14.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "user_oidc versions ant\u00e9rieures \u00e0 v1.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Nextcloud Desktop versions ant\u00e9rieures \u00e0 3.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-39338",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39338"
},
{
"name": "CVE-2022-39331",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39331"
},
{
"name": "CVE-2022-39334",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39334"
},
{
"name": "CVE-2022-39333",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39333"
},
{
"name": "CVE-2022-39332",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39332"
},
{
"name": "CVE-2022-41926",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41926"
},
{
"name": "CVE-2022-39339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39339"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-1057",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-11-25T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nNextcloud. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es\net une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Nextcloud",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39333 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39338 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39334 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39339 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39332 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39331 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-41926 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
}
]
}
CERTFR-2022-AVI-1057
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits Nextcloud. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Nextcloud Talk Android versions ant\u00e9rieures \u00e0 14.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "user_oidc versions ant\u00e9rieures \u00e0 v1.2.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Nextcloud Desktop versions ant\u00e9rieures \u00e0 3.6.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-39338",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39338"
},
{
"name": "CVE-2022-39331",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39331"
},
{
"name": "CVE-2022-39334",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39334"
},
{
"name": "CVE-2022-39333",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39333"
},
{
"name": "CVE-2022-39332",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39332"
},
{
"name": "CVE-2022-41926",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41926"
},
{
"name": "CVE-2022-39339",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-39339"
}
],
"links": [],
"reference": "CERTFR-2022-AVI-1057",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-11-25T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nNextcloud. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es\net une injection de code indirecte \u00e0 distance (XSS).\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Nextcloud",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39333 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39338 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39334 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39339 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39332 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39331 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-41926 du 25 novembre 2022",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
}
]
}
WID-SEC-W-2022-2183
Vulnerability from csaf_certbund - Published: 2022-11-27 23:00 - Updated: 2025-09-17 22:00Summary
Nextcloud: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Nextcloud ist eine "on-premise" Plattform für Dateifreigabe und Zusammenarbeit.
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um einen Denial of Service Angriff durchzuführen, Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen oder Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme
- Android
- Linux
- MacOS X
- UNIX
- Windows
{
"document": {
"aggregate_severity": {
"text": "niedrig"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Nextcloud ist eine \"on-premise\" Plattform f\u00fcr Dateifreigabe und Zusammenarbeit.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Android\n- Linux\n- MacOS X\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2022-2183 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2183.json"
},
{
"category": "self",
"summary": "WID-SEC-2022-2183 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2183"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"category": "external",
"summary": "Github Nextcloud Advisory vom 2022-11-27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p"
},
{
"category": "external",
"summary": "Hackone Report #1668028",
"url": "https://hackerone.com/reports/1668028"
},
{
"category": "external",
"summary": "Nextcloud Desktop issue 4927",
"url": "https://github.com/nextcloud/desktop/issues/4927"
},
{
"category": "external",
"summary": "Debian Security Advisory DLA-4303 vom 2025-09-18",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html"
}
],
"source_lang": "en-US",
"title": "Nextcloud: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-09-17T22:00:00.000+00:00",
"generator": {
"date": "2025-09-18T07:16:13.120+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.4.0"
}
},
"id": "WID-SEC-W-2022-2183",
"initial_release_date": "2022-11-27T23:00:00.000+00:00",
"revision_history": [
{
"date": "2022-11-27T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2022-11-30T23:00:00.000+00:00",
"number": "2",
"summary": "Referenz(en) aufgenommen: FEDORA-2022-49B20342C0, FEDORA-2022-902DF3B060, FEDORA-2022-98C1D712B5"
},
{
"date": "2022-12-01T23:00:00.000+00:00",
"number": "3",
"summary": "PoC aufgenommen"
},
{
"date": "2025-09-17T22:00:00.000+00:00",
"number": "4",
"summary": "Neue Updates von Debian aufgenommen"
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c23.0.7",
"product": {
"name": "Nextcloud Nextcloud \u003c23.0.7",
"product_id": "T024450"
}
},
{
"category": "product_version",
"name": "23.0.7",
"product": {
"name": "Nextcloud Nextcloud 23.0.7",
"product_id": "T024450-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nextcloud:nextcloud:23.0.7"
}
}
},
{
"category": "product_version_range",
"name": "\u003c22.2.10",
"product": {
"name": "Nextcloud Nextcloud \u003c22.2.10",
"product_id": "T025141"
}
},
{
"category": "product_version",
"name": "22.2.10",
"product": {
"name": "Nextcloud Nextcloud 22.2.10",
"product_id": "T025141-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nextcloud:nextcloud:22.2.10"
}
}
},
{
"category": "product_version_range",
"name": "\u003c24.0.3",
"product": {
"name": "Nextcloud Nextcloud \u003c24.0.3",
"product_id": "T025418"
}
},
{
"category": "product_version",
"name": "24.0.3",
"product": {
"name": "Nextcloud Nextcloud 24.0.3",
"product_id": "T025418-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nextcloud:nextcloud:24.0.3"
}
}
},
{
"category": "product_version_range",
"name": "User_IODC \u003c1.2.1",
"product": {
"name": "Nextcloud Nextcloud User_IODC \u003c1.2.1",
"product_id": "T025419"
}
},
{
"category": "product_version",
"name": "User_IODC 1.2.1",
"product": {
"name": "Nextcloud Nextcloud User_IODC 1.2.1",
"product_id": "T025419-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nextcloud:nextcloud:user_iodc_1.2.1"
}
}
},
{
"category": "product_version_range",
"name": "TalkAndroid \u003c14.1.0",
"product": {
"name": "Nextcloud Nextcloud TalkAndroid \u003c14.1.0",
"product_id": "T025420"
}
},
{
"category": "product_version",
"name": "TalkAndroid 14.1.0",
"product": {
"name": "Nextcloud Nextcloud TalkAndroid 14.1.0",
"product_id": "T025420-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nextcloud:nextcloud:talkandroid_14.1.0"
}
}
},
{
"category": "product_version_range",
"name": "Desktop \u003c3.6.1",
"product": {
"name": "Nextcloud Nextcloud Desktop \u003c3.6.1",
"product_id": "T025421"
}
},
{
"category": "product_version",
"name": "Desktop 3.6.1",
"product": {
"name": "Nextcloud Nextcloud Desktop 3.6.1",
"product_id": "T025421-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:nextcloud:nextcloud:desktop_3.6.1"
}
}
}
],
"category": "product_name",
"name": "Nextcloud"
}
],
"category": "vendor",
"name": "Nextcloud"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-39346",
"product_status": {
"known_affected": [
"T025418",
"T025141",
"2951",
"T024450"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39346"
},
{
"cve": "CVE-2022-39331",
"product_status": {
"known_affected": [
"T025419",
"2951",
"T025421"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39331"
},
{
"cve": "CVE-2022-39332",
"product_status": {
"known_affected": [
"T025419",
"2951",
"T025421"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39332"
},
{
"cve": "CVE-2022-39333",
"product_status": {
"known_affected": [
"T025419",
"2951",
"T025421"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39333"
},
{
"cve": "CVE-2022-39338",
"product_status": {
"known_affected": [
"T025419",
"2951",
"T025421"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39338"
},
{
"cve": "CVE-2022-39339",
"product_status": {
"known_affected": [
"T025419",
"2951"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39339"
},
{
"cve": "CVE-2022-39334",
"product_status": {
"known_affected": [
"2951",
"T025421",
"T025420"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-39334"
},
{
"cve": "CVE-2022-41926",
"product_status": {
"known_affected": [
"2951",
"T025421",
"T025420"
]
},
"release_date": "2022-11-27T23:00:00.000+00:00",
"title": "CVE-2022-41926"
}
]
}
FKIE_CVE-2022-39331
Vulnerability from fkie_nvd - Published: 2022-11-25 19:15 - Updated: 2025-11-03 19:15
Severity ?
4.6 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/nextcloud/desktop/pull/4944 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 | Third Party Advisory | |
| security-advisories@github.com | https://hackerone.com/reports/1668028 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/desktop/pull/4944 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/1668028 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A7633B29-D30E-483A-BDB1-41514D9358A6",
"versionEndExcluding": "3.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "Nexcloud Desktop es el cliente de sincronizaci\u00f3n de escritorio para Nextcloud. Un atacante puede inyectar un lenguaje de marcado de hipertexto arbitrario en la aplicaci\u00f3n del cliente de escritorio en las notificaciones. Se recomienda actualizar el cliente de escritorio Nextcloud a 3.6.1. No se conocen workarounds para este problema."
}
],
"id": "CVE-2022-39331",
"lastModified": "2025-11-03T19:15:40.543",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-25T19:15:11.250",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/desktop/pull/4944"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1668028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/desktop/pull/4944"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/1668028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…