CVE-2022-39338Improper Input Validation in Security-advisories

CWE-20Improper Input ValidationCWE-79Cross-site Scripting2 documents2 sources
Severity
5.4MEDIUMNVD
CNA3.5
EPSS
0.3%
top 45.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Openid Connect User Backend
Timeline
PublishedNov 25

Description

user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc2022-11-25
CVE-2022-39338 — Improper Input Validation | cvebase