CVE-2019-5450 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Nextcloud

CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

0.1%

top 66.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Com.nextcloud.client

Timeline

PublishedJul 30

Latest updateMay 24

Description

Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3.7.0 allowed to style the directory name in the header bar when using basic HTML.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶NVDnextcloud/nextcloud< 3.7.0

▶CVEListV5nextcloud/com.nextcloud.client3.7.0

🔴Vulnerability Details

GHSA

GHSA-x6fc-pmf5-67rv: Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3↗2022-05-24

▶

CVEList

CVE-2019-5450: Improper sanitization of HTML in directory names in the Nextcloud Android app prior to version 3↗2019-07-30

▶