diff options
| author | Joas Schilling <coding@schilljs.com> | 2020-11-17 13:38:26 +0300 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2020-11-17 13:45:47 +0300 |
| commit | f0d56d62f2a8dcde032841fdca8fe7afe0bd77c0 (patch) | |
| tree | 0d974c2d16acc2c2ddb9840ac2693470e4c04371 | |
| parent | 1506af521fa884270236cdf0a42025247096a33d (diff) | |
Advisory for #998422
Signed-off-by: Joas Schilling <coding@schilljs.com>
| -rw-r--r-- | contacts/nc-sa-2020-044.json | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/contacts/nc-sa-2020-044.json b/contacts/nc-sa-2020-044.json new file mode 100644 index 0000000..7eacb42 --- /dev/null +++ b/contacts/nc-sa-2020-044.json @@ -0,0 +1,30 @@ +{ + "Title": "XSS through image upload on contacts using svg file with png extension", + "Timestamp": 1603195200, + "Risk": 1, + "CVSS3": { + "score": 5.5, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + "CWE": { + "id": 79, + "name": "Cross-site Scripting (XSS) - Stored" + }, + "HackerOne": 998422, + "Affected":[ + { + "Version":"3.4.1", + "CVE":"CVE-2020-8280", + "Operator":"<" + } + ], + "Description":"A missing file type check in Nextcloud Contacts 3.4.0 allowed a malicious user to upload SVG files as PNG files to perform XSS attacks.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Tommy Suriel", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.4.1." +} |