CVE-2023-33182

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-33182
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33182.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-33182
Aliases
  • GHSA-hxr6-cx85-gcjx
Published
2023-05-30T05:15:11Z
Modified
2024-06-06T14:22:18.073762Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
[none]
Details

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4

References

Affected packages

Git / github.com/nextcloud/contacts

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/contacts
Events

Affected versions

v4.*

v4.1.0
v4.2.0
v4.2.0-rc1
v4.2.0-rc2
v4.2.1
v4.2.2
v4.2.3