Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 734
Alerts This Week
Warning Icon 1 734

Debian 11: DLA-4303-1 nextcloud-desktop Critical HTML Injection Advisory

debian lts
Calendar Grey September 18, 2025
Dist Debian Esm H88
The Debian Long Term Support Advisory DLA-4303-1 focuses on serious vulnerabilities found in nextcloud-desktop, particularly emphasizing various HTML injection flaws.
Multiple vulnerabilities were discovered in nextcloud-desktop, nextcloud folder synchronization tool

Summary

CVE-2022-39331

An attacker can inject arbitrary HyperText Markup Language into
the Desktop Client application in the notifications.

CVE-2022-39332

An attacker can inject arbitrary HyperText Markup Language into
the Desktop Client application via user status and information.

CVE-2022-39333

An attacker can inject arbitrary HyperText Markup Language into
the Desktop Client application.

CVE-2022-39334

A CLI utility called nextcloudcmd which is sometimes used for
automated scripting and headless servers would incorrectly trust
invalid TLS certificates, which may enable a Man-in-the-middle
attack that exposes sensitive data or credentials to a network
attacker.

CVE-2023-28997

A malicious server administrator can recover and modify the
contents of end-to-end encrypted files.

For Debian 11 bullseye, these problems have been fixed in version
3.1.1-2+deb11u2.

For Debian 11 bullseye, these problems have been fixed in version
3.1.1-2+deb11u2.

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: nextcloud-desktop
Version: 3.1.1-2+deb11u2
CVE ID: CVE-2022-39331 CVE-2022-39332 CVE-2022-39333 CVE-2022-39334

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.