Nextcloud server 12.0.5App password scope can be changed for other users
Stored XSS in CardDAV image export (NC-SA-2016-008)
10th October 2016
Risk level: Medium
CVSS v3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
HackerOne report: 163338
The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
Note: Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don't support Content Security Policy.
- Nextcloud Server < 10.0.1 (CVE-2016-9465)
The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.