[security] polyfill.io included via outdated RubixML fork

[tgoeg]

Not posting this secretly as this is already known across the web.

This apps composer.json includes rubixML via https://github.com/nextcloud-deps/RubixML
That repo is behind the current master of RubixML which has this already fixed.

Still including it:
https://github.com/nextcloud-deps/RubixML/blob/master/mkdocs.yml

Already fixed:
RubixML/ML@fef1033

I don't know who's responsible for the nextcloud-deps fork, but please either use another, current source or (make people) update the fork.
Thanks!

[kesselb]

Thank you, that's a good finding.

Please report it via https://hackerone.com/nextcloud.

[tgoeg]

Done.

[tgoeg]

Well, that wasn't all that successful :-)

I still think placing vulnerable code on production systems is not the best idea, even if the code is not in use.
I may not see the other report, there's probably a more promising fix there.

[si458]

came here to say the same thing, our plesk server went nuts with alerts, because its now listing it as a virus

simply removing the line fixes the issue as explained above
but nextcloud do need to fix this for the suspicious_login plugin and do a new release for production