CVE-2021-29438

Name of the Vulnerable Software and Affected Versions: @nextcloud/dialogs versions prior to 3.1.2

Description: The issue arises from insufficient escaping of text input passed to a toast in the Nextcloud dialogs library. This could lead to a XSS vulnerability if the application displays toasts with user-supplied input. Nextcloud Server has a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.

Recommendations: For versions prior to 3.1.2, update to version 3.1.2 to patch the vulnerability. If you need to display HTML in the toast, explicitly pass the options.isHTML config flag. As a temporary workaround, ensure no user-supplied input flows into toasts.