Merge pull request #23 from nextcloud/new-github-advisory-workflow

New GitHub advisory workflow

1 files changed, 31 insertions, 0 deletions

diff --git a/old/talk/nc-sa-2018-009.json b/old/talk/nc-sa-2018-009.json
new file mode 100644
index 0000000..bac4f23
--- /dev/null
+++ b/old/talk/nc-sa-2018-009.json
@@ -0,0 +1,31 @@
+{
+   "Title": "Stored XSS in autocomplete suggestions for chat @-mentions",
+   "Timestamp": 1533902400,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 0.0,
+      "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N"
+   },
+   "CWE": {
+      "id": 79,
+      "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+   },
+   "Affected":[
+      {
+         "Version":"3.2.5",
+         "CVE":"CVE-2018-3781",
+         "Operator":"<"
+      }
+   ],
+   "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Joas Schilling",
+         "Mail": "coding@schilljs.com",
+         "Company": "Nextcloud GmbH",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Talk app is upgraded to 3.2.5."
+}