CVE-2021-32733Cross-site Scripting in Security-advisories

CWE-79Cross-site Scripting2 documents2 sources
Severity
6.1MEDIUMNVD
CNA4.8
EPSS
0.2%
top 62.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedJul 12

Description

Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. The issue was fixed in versions 19.0.13, 20.0.11

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5nextcloud/security-advisories< 19.0.13+2
NVDnextcloud/nextcloud_server20.0.020.0.11+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
XSS in Nextcloud Text application2021-07-12
CVE-2021-32733 — Cross-site Scripting | cvebase