CVE-2022-39332: 
Nextcloud Desktop Client vulnerability analysis and mitigation

Nextcloud Desktop Client (CVE-2022-39332) is a vulnerability discovered in the Desktop sync client for Nextcloud that allows attackers to inject arbitrary HTML content into the Desktop Client application. The vulnerability was disclosed on November 25, 2022, affecting versions prior to 3.6.1 (NVD, Security Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (Low severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N. The attack vector is Network-based, requiring low attack complexity and low privileges, but does need user interaction. The scope is unchanged, with no impact on confidentiality, low impact on integrity, and no impact on availability (Security Advisory).

The vulnerability allows attackers to inject arbitrary HTML content into the Desktop Client application, potentially leading to cross-site scripting (XSS) attacks via user status and information. The impact is primarily on the integrity of the application, with no direct effect on confidentiality or availability (Security Advisory).

The vulnerability has been patched in Nextcloud Desktop Client version 3.6.1. Users are strongly recommended to upgrade to this version or later. No alternative workarounds are available for this vulnerability (Security Advisory).

The fix for this vulnerability was implemented through a pull request that ensures strings in the main window QML are presented as plain text rather than HTML, which was merged into the master branch (GitHub PR).