Security Advisory

Back to advisories

Reflected XSS in Gallery application (NC-SA-2016-009)

10th October 2016

Risk level: Medium

CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

HackerOne report: 165686


The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.

Affected Software

Action Taken

Error messages are now properly sanitized.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Aliaksei Panamarenka - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.