user/nextcloud-client: multiple vulnerabilities
Bugzilla ID | 360 |
Alias(es) | CVE-2020-8189, CVE-2020-8224, CVE-2020-8227 |
Reporter | Max Rees (sroracle) |
Assignee | Max Rees (sroracle) |
Reported | 2020-10-26 01:02:58 -0500 |
Modified | 2020-10-26 01:02:58 -0500 |
Status | UNCONFIRMED |
Version | 1.0-RC1 |
Hardware | Adélie Linux / All |
Importance | --- / normal |
Package(s) | user/nextcloud-client |
Description
CVE-2020-8227: https://nvd.nist.gov/vuln/detail/CVE-2020-8227
Missing sanitization of a server response in Nextcloud Desktop Client
2.6.4 for Linux allowed a malicious Nextcloud Server to store files
outside of the dedicated sync directory.
CVE-2020-8224: https://nvd.nist.gov/vuln/detail/CVE-2020-8224
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load
arbitrary code when placing a malicious OpenSSL config into a fixed
directory.
CVE-2020-8189: https://nvd.nist.gov/vuln/detail/CVE-2020-8189
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed
to present any html (including local links) when responding with
invalid data on the login attempt.
All fixed in >= 2.6.5