Unrated severityNVD Advisory· Published Feb 6, 2023· Updated Mar 10, 2025
Self reflected HTML injection in Desktop client
CVE-2023-23942
Description
The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as strong, em and head lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
6- Range: <3.6.3
- osv-coords4 versionspkg:rpm/opensuse/nextcloud-desktop&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/nextcloud-desktop&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/nextcloud-desktop&distro=SUSE%20Package%20Hub%2015%20SP4pkg:rpm/suse/nextcloud-desktop&distro=SUSE%20Package%20Hub%2015%20SP5
< 3.8.0-bp154.2.3.1+ 3 more
- (no CPE)range: < 3.8.0-bp154.2.3.1
- (no CPE)range: < 3.8.0-bp155.2.3.1
- (no CPE)range: < 3.8.0-bp154.2.3.1
- (no CPE)range: < 3.8.0-bp155.2.3.1
- nextcloud/security-advisoriesv5Range: < 3.6.3
Patches
Vulnerability mechanics
References
3- github.com/nextcloud/desktop/pull/5233mitrex_refsource_MISC
- github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xggmitrex_refsource_CONFIRM
- hackerone.com/reports/1788598mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.