CVE-2024-22213

Cross-site Scripting when sending HTML as a comment in the Nextcloud Deck app

CVSS 0 NONEEPSS 0.5%CWE-79

Vexday Risk Score

3Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 0EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

18 jan 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N

Produtos afetados

nextcloud · security-advisories

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/nextcloud/deck/commit/91f1557362047f8840f53151f176b80148650bcd https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mg7w-x9fm-9wwc https://hackerone.com/reports/2058556