Nextcloud · Nextcloud Contacts · CVE-2020-8280
Name of the Vulnerable Software and Affected Versions:
Nextcloud Contacts version 3.4.0
Description:
A missing file type check allows a malicious user to upload SVG files as PNG files, enabling cross-site scripting (XSS) attacks.
Recommendations:
For Nextcloud Contacts version 3.4.0, consider restricting the upload of SVG files or implementing a proper file type check to prevent cross-site scripting attacks until a patch is available.