Bug 1207976 (CVE-2023-23942) - VUL-0: CVE-2023-23942: nextcloud-desktop: missing sanitisation on qml labels leading to javascript injection
Summary: VUL-0: CVE-2023-23942: nextcloud-desktop: missing sanitisation on qml labels ...
Status: RESOLVED FIXED
Alias: CVE-2023-23942
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/356329/
Whiteboard:
Keywords:
Depends on:
Blocks: 1213080
  Show dependency treegraph
 
Reported: 2023-02-07 09:06 UTC by Thomas Leroy
Modified: 2023-07-10 16:14 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2023-02-07 09:06:06 UTC 
CVE-2023-23942

The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud
Server with your computer. Versions prior to 3.6.3 are missing sanitisation on
qml labels which are used for basic HTML elements such as `strong`, `em` and
`head` lines in the UI of the desktop client. The lack of sanitisation may allow
for javascript injection. It is recommended that the Nextcloud Desktop Client is
upgraded to 3.6.3. There are no known workarounds for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-23942
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-64qc-vf6v-8xgg
https://www.cve.org/CVERecord?id=CVE-2023-23942
https://github.com/nextcloud/desktop/pull/5233
https://hackerone.com/reports/1788598
Comment 1 OBSbugzilla Bot 2023-04-01 10:15:10 UTC 
This is an autogenerated message for OBS integration:
This bug (1207976) was mentioned in
https://build.opensuse.org/request/show/1076605 Backports:SLE-15-SP4 / nextcloud-desktop
Comment 2 Marcus Meissner 2023-04-13 15:33:58 UTC 
openSUSE-SU-2023:0090-1: An update that solves 5 vulnerabilities and has one errata is now available.\n\nCategory: security (important)\nBug References: 1201070,1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    nextcloud-desktop-3.8.0-bp154.2.3.1\n\n
Comment 3 Marcus Meissner 2023-04-13 15:38:53 UTC 
openSUSE-SU-2023:0090-1: An update that solves 5 vulnerabilities and has one errata is now available.\n\nCategory: security (important)\nBug References: 1201070,1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    nextcloud-desktop-3.8.0-bp154.2.3.1\n\n
Comment 4 Marcus Meissner 2023-04-13 15:42:30 UTC 
done
Comment 5 Andreas Stieger 2023-07-06 16:32:07 UTC 
fro bug 1213080, update missing in 15.5
Comment 6 Andreas Stieger 2023-07-06 16:44:53 UTC 
submitted the 15.4 update to 15.5. Eric please approve the maintenance request review when it gets to you, and assign the bugs back to security-team@suse.de for processing.
Comment 7 OBSbugzilla Bot 2023-07-06 17:05:08 UTC 
This is an autogenerated message for OBS integration:
This bug (1207976) was mentioned in
https://build.opensuse.org/request/show/1097432 Backports:SLE-15-SP5 / nextcloud-desktop
Comment 8 Andreas Stieger 2023-07-07 06:11:14 UTC 
Picking a random project maintainer.

Please review https://build.opensuse.org/request/show/1097432
This puts the 15.4 package into 15.5.

Then assign to security-team@suse.de

The package has a bugowner @ecsos who is not maintainer. This is not consistent. See SR#1097478 for the permission. (same problem as the "state maintainer" problem)

The distro has no structured mechanism to detect missed updates. You should fix this.
Comment 9 Marcus Meissner 2023-07-10 16:06:23 UTC 
openSUSE-SU-2023:0171-1: An update that fixes 5 vulnerabilities is now available.\n\nCategory: security (important)\nBug References: 1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    nextcloud-desktop-3.8.0-bp155.2.3.1\n\n
Comment 10 Andreas Stieger 2023-07-10 16:14:21 UTC 
Done for 15.5 now too, closing