Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2020-8189 CVE-2020-8227 |
CWE-ID | CWE-79 CWE-22 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
desktop Other software / Other software solutions |
Vendor | Nextcloud |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU46083
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8189
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.
MitigationInstall update from vendor's website.
Vulnerable software versionsdesktop: 2.0.0 - 2.6.4
External linkshttp://hackerone.com/reports/685552
http://nextcloud.com/security/advisory/?id=NC-SA-2020-027
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU46082
Risk: Medium
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8227
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to execute arbitrary code.
Missing sanitization of a server response in Nextcloud Desktop Client 2.6.4 for Linux allowed a malicious Nextcloud Server to store files outside of the dedicated sync directory.
MitigationInstall update from vendor's website.
Vulnerable software versionsdesktop: 2.0.0 - 2.6.4
External linkshttp://hackerone.com/reports/590319
http://nextcloud.com/security/advisory/?id=NC-SA-2020-032
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.