CVE-2021-22878 — Cross-site Scripting in Server

Severity

4.8MEDIUMNVD

EPSS

0.4%

top 41.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedMar 3

Latest updateMay 24

Description

Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in `OC.Notification.show`.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

▶CVEListV5nextcloud/nextcloud_serverFixed in 20.0.6

Also affects: Fedora 34

GHSA

GHSA-3qm7-9jrc-h4gp: Nextcloud Server prior to 20↗2022-05-24

▶

CVEList

CVE-2021-22878: Nextcloud Server prior to 20↗2021-03-03

▶