Open tgoeg opened 2 weeks ago
Thank you, that's a good finding.
Please report it via https://hackerone.com/nextcloud.
Done.
Well, that wasn't all that successful :-)
I still think placing vulnerable code on production systems is not the best idea, even if the code is not in use. I may not see the other report, there's probably a more promising fix there.
Not posting this secretly as this is already known across the web.
This apps composer.json includes rubixML via https://github.com/nextcloud-deps/RubixML That repo is behind the current master of RubixML which has this already fixed.
Still including it: https://github.com/nextcloud-deps/RubixML/blob/master/mkdocs.yml
Already fixed: https://github.com/RubixML/ML/commit/fef1033456f3b347e05b0a193919120b415f4127
I don't know who's responsible for the nextcloud-deps fork, but please either use another, current source or (make people) update the fork. Thanks!