CVE-2023-33182

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/contacts/pull/3199	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx	Vendor Advisory
https://hackerone.com/reports/1789602	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:contacts::::::::
	cpe:2.3:a:nextcloud:contacts::::::::

History

05 Jun 2023, 16:57

Type	Values Removed	Values Added
References	~~(MISC) https://hackerone.com/reports/1789602 -~~	(MISC) https://hackerone.com/reports/1789602 - Permissions Required
References	~~(MISC) https://github.com/nextcloud/contacts/pull/3199 -~~	(MISC) https://github.com/nextcloud/contacts/pull/3199 - Patch
References	~~(MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx -~~	(MISC) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx - Vendor Advisory
CWE		NVD-CWE-noinfo
CPE		cpe:2.3:a:nextcloud:contacts::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3

30 May 2023, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-30 05:15

Updated : 2024-02-04 23:37

NVD link : CVE-2023-33182

Mitre link : CVE-2023-33182

CVE.ORG link : CVE-2023-33182

JSON object : View

Products Affected

nextcloud

contacts

CWE

NVD-CWE-noinfo CWE-20

Improper Input Validation

{"id": "CVE-2023-33182", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 2.8}]}, "published": "2023-05-30T05:15:11.957", "references": [{"url": "https://github.com/nextcloud/contacts/pull/3199", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1789602", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4\n\n"}], "lastModified": "2023-06-06T13:47:28.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "249930BE-FAAC-4802-AD8C-CD86D5CBA1BC", "versionEndExcluding": "4.2.4", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B07ED717-3B87-434B-980F-32F2CD033D3A", "versionEndExcluding": "5.0.3", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}