CVE-2021-32782

EPSS 0.36%
Veröffentlicht 07.09.2021 20:15:07
Zuletzt bearbeitet 21.11.2024 06:07:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cross-Site Scripting in Nextcloud Circles

XSS in Nextcloud Circles

Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.

Mögliche Gegenmaßnahme

Nextcloud Circles: Use a browser that has support for Content-Security-Policy. You can find a list of supported browsers on [caniuse.com](https://caniuse.com/contentsecuritypolicy). A notable exemption is Internet Explorer which does not support CSP properly.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Circles Version < 0.19.14

Nextcloud ≫ Circles Version >= 0.20.0 < 0.20.10

Nextcloud ≫ Circles Version >= 0.21.0 < 0.21.3

Weitere Schwachstelleninformationen

SystemNextcloud App

≫

Produkt Nextcloud Circles

Version >= 0.0.0, < 0.19.14

Version >= 0.20.0, < 0.20.10

Version >= 0.21.0, < 0.21.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.36%	0.576

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com	5.8	1.3	4	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/nextcloud/circles/commit/dbb97a83ccb342c839a54f088aa19b8ba6844b0e

Patch

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9

Patch

Third Party Advisory

https://hackerone.com/reports/1217606

Third Party Advisory

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-32782