Advisory for #894876

Signed-off-by: Joas Schilling <coding@schilljs.com>
author: Joas Schilling <coding@schilljs.com> 2020-11-17 13:46:08 +0300
committer: Joas Schilling <coding@schilljs.com> 2020-11-17 13:49:18 +0300
commit: 76dc8a3addaa40b0eb281843b86a99808c403bba (patch)
tree: 2acd4933d63ee0e8ec93d2303a200f5936abc9de
parent: f0d56d62f2a8dcde032841fdca8fe7afe0bd77c0 (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/contacts/nc-sa-2020-045.json b/contacts/nc-sa-2020-045.json
new file mode 100644
index 0000000..bc13ea2
--- /dev/null
+++ b/contacts/nc-sa-2020-045.json
@@ -0,0 +1,30 @@
+{
+   "Title": "XSS through image upload of contacts using svg file",
+   "Timestamp": 1603195200,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 5.5,
+      "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+   },
+   "CWE": {
+      "id": 79,
+      "name": "Cross-site Scripting (XSS) - Stored"
+   },
+   "HackerOne": 894876,
+   "Affected":[
+      {
+         "Version":"3.4.0",
+         "CVE":"CVE-2020-8281",
+         "Operator":"<"
+      }
+   ],
+   "Description":"A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Tommy Suriel",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.4.0."
+}
author	Joas Schilling <coding@schilljs.com>	2020-11-17 13:46:08 +0300
committer	Joas Schilling <coding@schilljs.com>	2020-11-17 13:49:18 +0300
commit	76dc8a3addaa40b0eb281843b86a99808c403bba (patch)
tree	2acd4933d63ee0e8ec93d2303a200f5936abc9de
parent	f0d56d62f2a8dcde032841fdca8fe7afe0bd77c0 (diff)