Nextcloud server 11.0.3DOM XSS vulnerability in search dialogue
Reflected XSS in error pages
Limitation of app specific password scope can be bypassed
Stored XSS in Gallery application
Share tokens for public calendars disclosed
Stored XSS in "gallery" application (NC-SA-2016-001)
19th July 2016
Risk level: Medium
CVSS v3 Base Score: 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N)
HackerOne report: 145355
Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.
To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there.
Since Nextcloud employes a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at caniuse.com whether your browser supports CSP.
- Nextcloud Server < 9.0.52 (CVE-2016-7419)
The user input is now properly sanitised before provided back to the user.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.