CVE-2017-0893 — Cross-site Scripting in Server

CWE-79 — Cross-site Scripting10 documents5 sources

Severity

5.4MEDIUMNVD

EPSS

0.3%

top 45.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server

Timeline

PublishedMay 8

Latest updateMay 13

Description

Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vulnerable JavaScript library for sanitizing untrusted user-input which suffered from a XSS vulnerability caused by a behaviour change in Safari 10.1 and 10.2. Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server10.0.0 — 10.0.5+2

▶CVEListV5nextcloud/nextcloud_serverbefore 9.0.58 and 10.0.5 and 11.0.3

🔴Vulnerability Details

GHSA

GHSA-qv8x-gg84-8259: Nextcloud Server before 9↗2022-05-13

▶

CVEList

CVE-2017-0893: Nextcloud Server before 9↗2017-05-08

▶

💬Community

HackerOne

Stored XSS in Gallery application (NC-SA-2017-010)↗2017-06-06

▶

Bugzilla

CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [epel-7]↗2017-05-16

▶

Bugzilla

CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 owncloud: nextcloud: Multiple security issues [fedora-all]↗2017-05-16

▶

Bugzilla

CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [fedora-all]↗2017-05-09

▶

Bugzilla

CVE-2017-0890 CVE-2017-0891 CVE-2017-0892 CVE-2017-0893 CVE-2017-0894 CVE-2017-0895 nextcloud: Multiple security issues [epel-7]↗2017-05-09

▶