Security Advisory

Back to advisories

Reflected XSS in error pages (NC-SA-2017-008)

8th May 2017

Risk level: Low

CVSS v3 Base Score: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

HackerOne report: 216812


Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.

Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.

Affected Software

  • Nextcloud Server < 11.0.3 (CVE-2017-0891)
  • Nextcloud Server < 10.0.5 (CVE-2017-0891)
  • Nextcloud Server < 9.0.58 (CVE-2017-0891)

Action Taken

Error messages are now properly escaped.


The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

This advisory is licensed CC BY-SA 4.0.