CVE-2023-33182 - Vulnerability Details - OpenCVE

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Nextcloud	Contacts

Configuration 1 [-]

OR	cpe:2.3:a:nextcloud:contacts::::::::
	cpe:2.3:a:nextcloud:contacts::::::::

No data.

References

Link	Providers
https://github.com/nextcloud/contacts/pull/3199
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx
https://hackerone.com/reports/1789602

History

Fri, 10 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-05-30T04:58:07.669Z

Updated: 2025-01-10T19:59:11.557Z

Reserved: 2023-05-17T22:25:50.697Z

Link: CVE-2023-33182

Vulnrichment

Updated: 2024-08-02T15:39:36.162Z

NVD

Status : Modified

Published: 2023-05-30T05:15:11.957

Modified: 2024-11-21T08:05:04.093

Link: CVE-2023-33182

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-33182", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-17T22:25:50.697Z", "datePublished": "2023-05-30T04:58:07.669Z", "dateUpdated": "2025-01-10T19:59:11.557Z"}, "containers": {"cna": {"title": "Nextcloud Contacts photos only sanitized if mime type is all lower case", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx"}, {"name": "https://github.com/nextcloud/contacts/pull/3199", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/contacts/pull/3199"}, {"name": "https://hackerone.com/reports/1789602", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1789602"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": ">= 4.1.0, < 4.2.4", "status": "affected"}, {"version": ">= 5.0.0, < 5.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-30T04:58:07.669Z"}, "descriptions": [{"lang": "en", "value": "Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4\n\n"}], "source": {"advisory": "GHSA-hxr6-cx85-gcjx", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:36.162Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx"}, {"name": "https://github.com/nextcloud/contacts/pull/3199", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/contacts/pull/3199"}, {"name": "https://hackerone.com/reports/1789602", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1789602"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-10T19:59:03.502162Z", "id": "CVE-2023-33182", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T19:59:11.557Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/nextcloud/contacts/pull/3199", "name": "https://github.com/nextcloud/contacts/pull/3199", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://hackerone.com/reports/1789602", "name": "https://hackerone.com/reports/1789602", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T15:39:36.162Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-33182", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-10T19:59:03.502162Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T19:59:07.527Z"}}], "cna": {"title": "Nextcloud Contacts photos only sanitized if mime type is all lower case", "source": {"advisory": "GHSA-hxr6-cx85-gcjx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"status": "affected", "version": ">= 4.1.0, < 4.2.4"}, {"status": "affected", "version": ">= 5.0.0, < 5.0.3"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextcloud/contacts/pull/3199", "name": "https://github.com/nextcloud/contacts/pull/3199", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/1789602", "name": "https://hackerone.com/reports/1789602", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4\n\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-05-30T04:58:07.669Z"}}}, "cveMetadata": {"cveId": "CVE-2023-33182", "state": "PUBLISHED", "dateUpdated": "2025-01-10T19:59:11.557Z", "dateReserved": "2023-05-17T22:25:50.697Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-05-30T04:58:07.669Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "matchCriteriaId": "249930BE-FAAC-4802-AD8C-CD86D5CBA1BC", "versionEndExcluding": "4.2.4", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "matchCriteriaId": "B07ED717-3B87-434B-980F-32F2CD033D3A", "versionEndExcluding": "5.0.3", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.0.3 or 4.2.4\n\n"}], "id": "CVE-2023-33182", "lastModified": "2024-11-21T08:05:04.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-05-30T05:15:11.957", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextcloud/contacts/pull/3199"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1789602"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nextcloud/contacts/pull/3199"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hxr6-cx85-gcjx"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/1789602"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}