PT-2021-19928 · Nextcloud+1 · Nextcloud Circles+1
Lukas Reschke
·
Published
2021-09-07
·
Updated
2021-09-10
·
CVE-2021-32782
CVSS v3.1
5.8
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Circles versions prior to 0.19.14
Nextcloud Circles versions prior to 0.20.10
Nextcloud Circles versions prior to 0.21.3
Description
The Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) issue. Due to the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. A notable exemption is Internet Explorer, which does not support Content-Security-Policy properly.
Recommendations
For versions prior to 0.19.14, upgrade to 0.19.14 to resolve this issue.
For versions prior to 0.20.10, upgrade to 0.20.10 to resolve this issue.
For versions prior to 0.21.3, upgrade to 0.21.3 to resolve this issue.
As a temporary workaround, users may use a browser that has support for Content-Security-Policy.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Internet Explorer
Nextcloud Circles