CVE-2021-39222

Name of the Vulnerable Software and Affected Versions Nextcloud Talk versions prior to 10.0.7 Nextcloud Talk versions prior to 10.1.4 Nextcloud Talk versions prior to 11.1.2 Nextcloud Talk versions prior to 11.2.0 Nextcloud Talk versions prior to 12.0.0

Description The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) issue. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due to the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy.

Recommendations For versions prior to 10.0.7, upgrade to version 10.0.7 or later. For versions prior to 10.1.4, upgrade to version 10.1.4 or later. For versions prior to 11.1.2, upgrade to version 11.1.2 or later. For versions prior to 11.2.0, upgrade to version 11.2.0 or later. For versions prior to 12.0.0, upgrade to version 12.0.0 or later. As a temporary workaround, consider using a browser that has support for Content-Security-Policy.