PT-2021-19893 · Nextcloud+1 · Nextcloud Text+1
Lukasreschkenc
·
Published
2021-07-12
·
Updated
2021-11-03
·
CVE-2021-32733
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Text versions prior to 19.0.13
Nextcloud Text versions prior to 20.0.11
Nextcloud Text versions prior to 21.0.3
Description
A cross-site scripting issue is present in the Nextcloud Text application. The application uses a
text/html Content-Type when serving files to users. However, due to the strict Content-Security-Policy, this issue is not exploitable on modern browsers that support Content-Security-Policy.Recommendations
For versions prior to 19.0.13, update to version 19.0.13 or later.
For versions prior to 20.0.11, update to version 20.0.11 or later.
For versions prior to 21.0.3, update to version 21.0.3 or later.
As a temporary workaround, consider using a browser that supports Content-Security-Policy to minimize the risk of exploitation.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Nextcloud Text