From 76dc8a3addaa40b0eb281843b86a99808c403bba Mon Sep 17 00:00:00 2001
From: Joas Schilling <coding@schilljs.com>
Date: Tue, 17 Nov 2020 11:46:08 +0100
Subject: [PATCH] Advisory for #894876

Signed-off-by: Joas Schilling <coding@schilljs.com>
---
 contacts/nc-sa-2020-045.json | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 contacts/nc-sa-2020-045.json

diff --git a/contacts/nc-sa-2020-045.json b/contacts/nc-sa-2020-045.json
new file mode 100644
index 0000000..bc13ea2
--- /dev/null
+++ b/contacts/nc-sa-2020-045.json
@@ -0,0 +1,30 @@
+{
+   "Title": "XSS through image upload of contacts using svg file",
+   "Timestamp": 1603195200,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 5.5,
+      "vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L"
+   },
+   "CWE": {
+      "id": 79,
+      "name": "Cross-site Scripting (XSS) - Stored"
+   },
+   "HackerOne": 894876,
+   "Affected":[
+      {
+         "Version":"3.4.0",
+         "CVE":"CVE-2020-8281",
+         "Operator":"<"
+      }
+   ],
+   "Description":"A missing file type check in Nextcloud Contacts 3.3.0 allowed a malicious user to upload malicious SVG files to perform XSS attacks.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Tommy Suriel",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Contacts is upgraded to 3.4.0."
+}