← Volver a CVEs
CVE-2023-33182
NONE0.0
Descripcion
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4
Detalles CVE
Puntuacion CVSS v3.10.0
SeveridadNONE
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado5/30/2023
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
nextcloud:contacts
Debilidades (CWE)
CWE-20
Referencias
https://github.com/nextcloud/contacts/pull/3199(security-advisories@github.com)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx(security-advisories@github.com)
https://hackerone.com/reports/1789602(security-advisories@github.com)
https://github.com/nextcloud/contacts/pull/3199(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx(af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1789602(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.