Stored XSS in "gallery" application (NC-SA-2016-001)
19th July 2016
Risk level: Medium
CVSS v3 Base Score: 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N)
HackerOne report: 145355
Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.
To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.
Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at caniuse.com whether your browser supports CSP.
- Nextcloud Server < 9.0.52 (CVE-2016-7419)
The user input is now properly sanitised before provided back to the user.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.