Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617910 (CVE-2017-0890, CVE-2017-0891, CVE-2017-0892, CVE-2017-0893, CVE-2017-0894, CVE-2017-0895) - <www-apps/nextcloud-11.0.3: Multiple Vulnerabilities
Summary: <www-apps/nextcloud-11.0.3: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-0890, CVE-2017-0891, CVE-2017-0892, CVE-2017-0893, CVE-2017-0894, CVE-2017-0895
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-09 00:55 UTC by Michael Boyle
Modified: 2017-06-06 12:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Boyle 2017-05-09 00:55:06 UTC 
Multiple vulnerabilities
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 05:20:43 UTC 
CVE ID: CVE-2017-0890
   Summary: Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.
 Published: 2017-05-08T20:29:00.000Z

______________________________

CVE ID: CVE-2017-0891
   Summary: Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to an inadequate escaping of error messages leading to XSS vulnerabilities in multiple components.
 Published: 2017-05-08T20:29:00.000Z

______________________________

CVE ID: CVE-2017-0892
   Summary: Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file.
 Published: 2017-05-08T20:29:00.000Z

______________________________

VE ID: CVE-2017-0893
   Summary: Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.
 Published: 2017-05-08T20:29:00.000Z

______________________________

VE ID: CVE-2017-0894
   Summary: Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid share tokens for public calendars due to a logical error. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
 Published: 2017-05-08T20:29:00.000Z

______________________________

CVE ID: CVE-2017-0895
   Summary: Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure of calendar and addressbook names to other logged-in users. Note that no actual content of the calendar and addressbook has been disclosed.
 Published: 2017-05-08T20:29:00.000Z
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2017-05-09 05:21:43 UTC 
Version 11.0.3 is in tree
Maintainer(s), please drop the vulnerable version(s).
Comment 3 Bernard Cafarelli gentoo-dev 2017-05-11 10:42:12 UTC 
Ack, I dropped all versions except current 11.0.3
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2017-05-12 06:06:16 UTC 
Maintainer(s), Thank you for your work.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-06 12:02:50 UTC 
All done.