Source: syncthing Version: 1.19.2~ds1-1 Severity: important Tags: security upstream Forwarded: https://github.com/syncthing/syncthing/pull/8923 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for syncthing. CVE-2022-46165[0]: | Syncthing is an open source, continuous file synchronization | program. In versions prior to 1.23.5 a compromised instance with | shared folders could sync malicious files which contain arbitrary | HTML and JavaScript in the name. If the owner of another device | looks over the shared folder settings and moves the mouse over the | latest sync, a script could be executed to change settings for | shared folders or add devices automatically. Additionally adding a | new device with a malicious name could embed HTML or JavaScript | inside parts of the page. As a result the webUI may be subject to a | stored cross site scripting attack. This issue has been addressed in | version 1.23.5. Users are advised to upgrade. Users unable to | upgrade should avoid sharing folders with untrusted users. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-46165 https://www.cve.org/CVERecord?id=CVE-2022-46165 [1] https://github.com/syncthing/syncthing/pull/8923 [2] https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 (v1.23.5) [3] https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h Please adjust the affected versions in the BTS as needed. Regards, Salvatore
