Security Advisory

Back to advisories

Reflected XSS when renaming malicious file (NC-SA-2021-005)

25th January 2021

Risk level: Low

CVSS v3 Base Score: 5.3 (AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:L/A:L)

CWE: Cross-site Scripting (XSS) - Reflected (CWE-79)

HackerOne report: 896522


Missing sanitization in Nextcloud Server 20.0.5 and prior allowed to perform a reflected XSS when saving html as file name and causing an error on rename e.g. by renaming to an existing file. The risk is mostly mitigated due to the strict Content-Security-Policy (CSP) of Nextcloud, and thus mainly targets browsers not supporting CSP such as Internet Explorer.

Affected Software

  • Nextcloud Server < 20.0.6 (CVE-2021-22878)

Action Taken

The error has been fixed.


It is recommended that the Nextcloud Server is upgraded to 20.0.6.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

This advisory is licensed CC BY-SA 4.0.

You have javascript disabled. We tried to make sure the basics of our website work but some functionality will be missing.

This website is using cookies. By visiting you agree with our privacy policy. That's Fine