DLA-4303-1

Details

CVE-2023-28997

Multiple vulnerabilities were discovered in nextcloud-desktop, nextcloud folder synchronization tool.

CVE-2022-39331

An attacker can inject arbitrary HyperText Markup Language into
the Desktop Client application in the notifications.

CVE-2022-39332

An attacker can inject arbitrary HyperText Markup Language into
the Desktop Client application via user status and information.

CVE-2022-39333

An attacker can inject arbitrary HyperText Markup Language into
the Desktop Client application.

CVE-2022-39334

A CLI utility called nextcloudcmd which is sometimes used for
automated scripting and headless servers would incorrectly trust
invalid TLS certificates, which may enable a Man-in-the-middle
attack that exposes sensitive data or credentials to a network
attacker.

CVE-2023-28997

A malicious server administrator can recover and modify the
contents of end-to-end encrypted files.

Affected Packages

nextcloud-desktop

Debian 11

Fixed in:

3.1.1-2+deb11u2

References

ADVISORY

https://security-tracker.debian.org/tracker/DLA-4303-1