CVE-2023-31145

Name of the Vulnerable Software and Affected Versions Collabora Online versions prior to 22.05.13 Collabora Online versions prior to 21.11.9 Collabora Online versions prior to 6.4.27

Description This issue describes a reflected XSS vulnerability with full CSP bypass in Nextcloud installations using the recommended bundle. The vulnerability can be exploited to perform a trivial account takeover attack, allowing attackers to inject malicious code into web pages, which can be executed in the context of the victim's browser session. This means that an attacker can steal sensitive data, such as login credentials or personal information, or perform unauthorized actions on behalf of the victim, such as modifying or deleting data. The fact that the vulnerability bypasses the Content Security Policy (CSP) makes it more dangerous, as CSP is an important security mechanism used to prevent cross-site scripting attacks.

Recommendations To resolve the issue, upgrade to version 22.05.13 or later. To resolve the issue, upgrade to version 21.11.9 or later. To resolve the issue, upgrade to version 6.4.27 or later.