CVE-2022-39333: 
Nextcloud Desktop Client vulnerability analysis and mitigation

Nexcloud desktop is the Desktop sync client for Nextcloud. A vulnerability identified as CVE-2022-39333 was discovered in the Desktop Client application, affecting versions prior to 3.6.1. The vulnerability allows an attacker to inject arbitrary HyperText Markup Language (HTML) into the Desktop Client application, specifically in the call notification popup (Nextcloud Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 3.5 (Low severity) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: Low, User Interaction: Required, Scope: Unchanged, Confidentiality: None, Integrity: Low, Availability: None. The vulnerability is categorized as CWE-79, which relates to Cross-Site Scripting (XSS) issues (Nextcloud Advisory).

The vulnerability allows attackers to inject arbitrary HTML content into the Desktop Client application, potentially leading to cross-site scripting attacks. While the impact is considered low due to the required user interaction and limited integrity impact, it could potentially be used to manipulate the application's interface or execute unwanted scripts (Nextcloud Advisory).

The vulnerability has been patched in Nextcloud Desktop Client version 3.6.1. Users are recommended to upgrade to this version or later to address the security issue. No alternative workarounds are available (Nextcloud Advisory).