CVE-2018-3780 — Cross-site Scripting in Server

CWE-79 — Cross-site Scripting6 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 32.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server

Timeline

PublishedAug 13

Latest updateMay 13

Description

A missing sanitization of search results for an autocomplete field in NextCloud Server <13.0.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server< 13.0.5

▶CVEListV5nextcloud/nextcloud_server>13.0.5

🔴Vulnerability Details

GHSA

GHSA-9qxg-6mvx-c4mc: A missing sanitization of search results for an autocomplete field in NextCloud Server <13↗2022-05-13

▶

CVEList

CVE-2018-3780: A missing sanitization of search results for an autocomplete field in NextCloud Server <13↗2018-08-13

▶

💬Community

Bugzilla

CVE-2018-3780 nextcloud: Stored XSS in autocomplete suggestions for file comments↗2018-08-22

▶

Bugzilla

CVE-2018-3780 nextcloud: Stored XSS in autocomplete suggestions for file comments [fedora-all]↗2018-08-22

▶

Bugzilla

CVE-2018-3780 nextcloud: Stored XSS in autocomplete suggestions for file comments [epel-7]↗2018-08-22

▶