Summary: | <www-apps/nextcloud-11.0.3: Multiple Vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Michael Boyle <boylemic> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | voyageur, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Michael Boyle
2017-05-09 00:55:06 UTC
CVE ID: CVE-2017-0890 Summary: Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue. Published: 2017-05-08T20:29:00.000Z ______________________________ CVE ID: CVE-2017-0891 Summary: Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components. Published: 2017-05-08T20:29:00.000Z ______________________________ CVE ID: CVE-2017-0892 Summary: Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. Published: 2017-05-08T20:29:00.000Z ______________________________ VE ID: CVE-2017-0893 Summary: Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers. Published: 2017-05-08T20:29:00.000Z ______________________________ VE ID: CVE-2017-0894 Summary: Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. Published: 2017-05-08T20:29:00.000Z ______________________________ CVE ID: CVE-2017-0895 Summary: Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed. Published: 2017-05-08T20:29:00.000Z Version 11.0.3 is in tree Maintainer(s), please drop the vulnerable version(s). Ack, I dropped all versions except current 11.0.3 Maintainer(s), Thank you for your work. All done. |