openSUSE Security Update : nextcloud (openSUSE-2018-936)

medium Nessus Plugin ID 112141

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for nextcloud to version 13.0.5 fixes the following issues :

Security issues fixed :

- CVE-2018-3780: Fixed a missing sanitization of search results for an autocomplete field that could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. (boo#1105598)

Other bugs fixed :

- Fix highlighting of the upload drop zone

- Apply ldapUserFilter on members of group

- Make the DELETION of groups match greedy on the groupID

- Add parent index to share table

- Log full exception in cron instead of only the message

- Properly lock the target file on dav upload when not using part files

- LDAP backup server should not be queried when auth fails

- Fix filenames in sharing integration tests

- Lower log level for quota manipulation cases

- Let user set avatar in nextcloud if LDAP provides invalid image data

- Improved logging of smb connection errors

- Allow admin to disable fetching of avatars as well as a specific attribute

- Allow to disable encryption

- Update message shown when unsharing a file

- Fixed English grammatical error on Settings page.

- Request a valid property for DAV opendir

- Allow updating the token on session regeneration

- Prevent lock values from going negative with memcache backend

- Correctly handle users with numeric user ids

- Correctly parse the subject parameters for link (un)shares of calendars

- Fix 'parsing' of email-addresses in comments and chat messages

- Sanitize parameters in createSessionToken() while logging

- Also retry rename operation on InvalidArgumentException

- Improve url detection in comments

- Only bind to ldap if configuration for the first server is set

- Use download manager from PDF.js to download the file

- Fix trying to load removed scripts

- Only pull for new messages if the session is allowed to be kept alive

- Always push object data

- Add prioritization for Talk

Solution

Update the affected nextcloud package.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1105598

Plugin Details

Severity: Medium

ID: 112141

File Name: openSUSE-2018-936.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/28/2018

Updated: 8/14/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2018-3780

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:nextcloud, cpe:/o:novell:opensuse:42.3, cpe:/o:novell:opensuse:15.0

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 8/26/2018

Reference Information

CVE: CVE-2018-3780