openSUSE Security Update : nextcloud (openSUSE-2018-936)

Low Nessus Plugin ID 112141

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nextcloud to version 13.0.5 fixes the following issues :

Security issues fixed :

- CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. (boo#1105598)

Other bugs fixed :

- Fix highlighting of the upload drop zone

- Apply ldapUserFilter on members of group

- Make the DELETION of groups match greedy on the groupID

- Add parent index to share table

- Log full exception in cron instead of only the message

- Properly lock the target file on dav upload when not using part files

- LDAP backup server should not be queried when auth fails

- Fix filenames in sharing integration tests

- Lower log level for quota manipulation cases

- Let user set avatar in nextcloud if LDAP provides invalid image data

- Improved logging of smb connection errors

- Allow admin to disable fetching of avatars as well as a specific attribute

- Allow to disable encryption

- Update message shown when unsharing a file

- Fixed English grammatical error on Settings page.

- Request a valid property for DAV opendir

- Allow updating the token on session regeneration

- Prevent lock values from going negative with memcache backend

- Correctly handle users with numeric user ids

- Correctly parse the subject parameters for link (un)shares of calendars

- Fix 'parsing' of email-addresses in comments and chat messages

- Sanitize parameters in createSessionToken() while logging

- Also retry rename operation on InvalidArgumentException

- Improve url detection in comments

- Only bind to ldap if configuration for the first server is set

- Use download manager from PDF.js to download the file

- Fix trying to load removed scripts

- Only pull for new messages if the session is allowed to be kept alive

- Always push object data

- Add prioritization for Talk

Solution

Update the affected nextcloud package.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1105598

Plugin Details

Severity: Low

ID: 112141

File Name: openSUSE-2018-936.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2018/08/28

Modified: 2018/10/11

Dependencies: 12634

Risk Information

Risk Factor: Low

CVSS v2.0

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS v3.0

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nextcloud, cpe:/o:novell:opensuse:15.0, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2018/08/26

Reference Information

CVE: CVE-2018-3780