Reflected XSS when renaming malicious file (NC-SA-2021-005)
25th January 2021
Risk level: Low
CVSS v3 Base Score: 5.3 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:L)
HackerOne report: 896522
Missing sanitization in Nextcloud Server 20.0.5 and prior allowed to perform a reflected XSS when saving html as file name and causing an error on rename e.g. by renaming to an existing file. The risk is mostly mitigated due to the strict Content-Security-Policy (CSP) of Nextcloud, and thus mainly targets browsers not supporting CSP such as Internet Explorer.
- Nextcloud Server < 20.0.6 (CVE-2021-22878)
The error has been fixed.
It is recommended that the Nextcloud Server is upgraded to 20.0.6.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.