diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2021-06-01 14:18:46 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-01 14:18:46 +0300 |
commit | 2500dd3a59b63edf8187e2d13e79ab1e268446e6 (patch) | |
tree | 4d148f1bbf5df3f4ed3cfece3618b651282f3264 /old/talk/nc-sa-2018-009.json | |
parent | d8dc243bac4bf81e439f3ef3899bb8e3a22fd011 (diff) | |
parent | 04bc66f5af73322ade5de3ce2c507e0a834d3751 (diff) |
Merge pull request #23 from nextcloud/new-github-advisory-workflow
New GitHub advisory workflow
Diffstat (limited to 'old/talk/nc-sa-2018-009.json')
-rw-r--r-- | old/talk/nc-sa-2018-009.json | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/old/talk/nc-sa-2018-009.json b/old/talk/nc-sa-2018-009.json new file mode 100644 index 0000000..bac4f23 --- /dev/null +++ b/old/talk/nc-sa-2018-009.json @@ -0,0 +1,31 @@ +{ + "Title": "Stored XSS in autocomplete suggestions for chat @-mentions", + "Timestamp": 1533902400, + "Risk": 1, + "CVSS3": { + "score": 0.0, + "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:N" + }, + "CWE": { + "id": 79, + "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, + "Affected":[ + { + "Version":"3.2.5", + "CVE":"CVE-2018-3781", + "Operator":"<" + } + ], + "Description":"A missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.", + "ActionTaken": "The error has been fixed.", + "Acknowledgment":[ + { + "Name": "Joas Schilling", + "Mail": "coding@schilljs.com", + "Company": "Nextcloud GmbH", + "Reason": "Vulnerability discovery and disclosure." + } + ], + "Resolution": "It is recommended that the Talk app is upgraded to 3.2.5." +} |