Advisory for #894876

Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-11-17 11:46:08 +01:00 · 2020-11-17 11:46:08 +01:00 · 76dc8a3add
--- a/contacts/nc-sa-2020-045.json
+++ b/contacts/nc-sa-2020-045.json
@ -0,0 +1,30 @@
+{
+   "Title": "XSS through image upload of contacts using svg file",
+   "Timestamp": 1603195200,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 5.5,
+      "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+   },
+   "CWE": {
+      "id": 79,
+      "name": "Cross-site Scripting (XSS) - Stored"
+   },
+   "HackerOne": 894876,
+   "Affected":[
+      {
+         "Version":"3.4.0",
+         "CVE":"CVE-2020-8281",
+         "Operator":"<"
+      }
+   ],
+   "Description":"A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Tommy Suriel",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.4.0."
+}