CVE-2022-39338

Name of the Vulnerable Software and Affected Versions user oidc versions prior to 1.2.1

Description The issue is related to the improper validation of discovery URLs in the user oidc OpenID Connect user backend for Nextcloud, potentially leading to a stored cross-site scripting attack vector. The impact is limited due to the restrictive Content Security Policy (CSP) applied on this endpoint. This vulnerability has only been shown to be exploitable in the Safari web browser.

Recommendations For versions prior to 1.2.1, upgrade to version 1.2.1 to address the issue. If an upgrade is not possible, advise users to avoid using the Safari web browser as a temporary mitigation measure.