CVE-2021-32679

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 19.0.13 Nextcloud Server versions prior to 20.0.11 Nextcloud Server versions prior to 21.0.3

Description Nextcloud Server is a package that handles data storage. In affected versions, filenames were not escaped by default in controllers using DownloadResponse. When a user-supplied filename was passed unsanitized into a DownloadResponse, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviors where Nextcloud applications would display a benign file extension, but the file will actually be downloaded with an executable file extension.

Recommendations For versions prior to 19.0.13, update to version 19.0.13 or later. For versions prior to 20.0.11, update to version 20.0.11 or later. For versions prior to 21.0.3, update to version 21.0.3 or later. As a temporary workaround, developers of Nextcloud apps may manually escape the file name before passing it into DownloadResponse.