Hi everyone, On latest version of Polls app (1.7.5), I noticed a lack of user input filtering for the "Description" part of the survey. An HTML injection is therefore possible. I tried to inject JavaScript code to get an XSS but I didn't succeed. Certainly someone better than me will be able to do it. ## Phishing Knowing that you can inject HTML, you can do cool stuff like phishing with the following code : ```

!!!!! IMPORTANT message from Nextcloud administrator !!!!!!

A security issue was found last night.

Please go to manually on changing-password.cloud.evil.com to reset your password.

Thank you in advance for doing so as soon as possible.

The IT team.

!!!!! IMPORTANT message from Nextcloud administrator !!!!!!

``` And the website changing-password.cloud.evil.com would first ask for entering the user's current password, before he enters his new password => password retrieved from the attacker's server **Proof-of-concept :** https://███/apps/polls/s/cxXkCK9LRXIKu5Oq ## DoS (client side) You can also make the user's PC spit by loading an infinite number of iframes. **Proof-of-concept (Warning, may crash your PC) :** https://███████/apps/polls/s/WKGKWHEFSSvPsHyC ## Impact - Attract the user to redirect him to a malicious page and steal his personal identifiers - Client-side DoS - And many other things are possible by injecting HTML code at will and without filtering In my opinion, I don't think it's a good thing to let the user add HTML code as he wants without being worried! Regards, Supras

Nextcloud: HTML Injection on "polls" app - comments section (possibly XSS)