Detections
Analytics

openSUSE Security Update : nextcloud (openSUSE-2018-936)

medium Nessus Plugin ID 112141

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nextcloud to version 13.0.5 fixes the following issues :

Security issues fixed :

 - CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. (boo#1105598)

Other bugs fixed :

 - Fix highlighting of the upload drop zone

 - Apply ldapUserFilter on members of group

 - Make the DELETION of groups match greedy on the groupID

 - Add parent index to share table

 - Log full exception in cron instead of only the message

 - Properly lock the target file on dav upload when not using part files

 - LDAP backup server should not be queried when auth fails

 - Fix filenames in sharing integration tests

 - Lower log level for quota manipulation cases

 - Let user set avatar in nextcloud if LDAP provides invalid image data

 - Improved logging of smb connection errors

 - Allow admin to disable fetching of avatars as well as a specific attribute

 - Allow to disable encryption

 - Update message shown when unsharing a file

 - Fixed English grammatical error on Settings page.

 - Request a valid property for DAV opendir

 - Allow updating the token on session regeneration

 - Prevent lock values from going negative with memcache backend

 - Correctly handle users with numeric user ids

 - Correctly parse the subject parameters for link (un)shares of calendars

 - Fix 'parsing' of email-addresses in comments and chat messages

 - Sanitize parameters in createSessionToken() while logging

 - Also retry rename operation on InvalidArgumentException

 - Improve url detection in comments

 - Only bind to ldap if configuration for the first server is set

 - Use download manager from PDF.js to download the file

 - Fix trying to load removed scripts

 - Only pull for new messages if the session is allowed to be kept alive

 - Always push object data

 - Add prioritization for Talk

Solution

Update the affected nextcloud package.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1105598

Plugin Details

Severity: Medium

ID: 112141

File Name: openSUSE-2018-936.nasl

Version: 1.4

Type: local

Agent: unix

Published: 8/28/2018

Updated: 1/19/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nextcloud, cpe:/o:novell:opensuse:15.0, cpe:/o:novell:opensuse:42.3

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 8/26/2018

Reference Information

CVE: CVE-2018-3780