Disclose vulnerability GHSA-m682-v4g9-wrq7

Hi all! Are there any plans to open public access to the HackerOne report of the “Preview generation used third-party library not suited for user-generated content” vulnerability?

It’s been almost a year now, so I guess it’s OK to do it.

Thanks!

@Daphne @jospoortvliet Can you help out here?

Not sure about the purpose, but just the fact that people can learn from previous security issues might be reason enough.

All relevant information is available in the SA: Preview generation used third-party library not suited for user-generated content · Advisory · nextcloud/security-advisories · GitHub

We didn’t publish the H1 ticket as it was created by internal developer and the only additional information is basically a sample file to exploit it.

2 Likes