Vulnerabilities > CVE-2023-33182 - Unspecified vulnerability in Nextcloud Contacts

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

LOW

network

low complexity

nextcloud

NVD

Published: 2023-05-30

Updated: 2023-06-06

Summary

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4

Vulnerable Configurations

Part	Description	Count
Application	Nextcloud Nextcloud Contacts *	1

References

https://github.com/nextcloud/contacts/pull/3199
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx
https://hackerone.com/reports/1789602