Nextcloud: When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

Summary:

This report is similar to #1337178

In Nextcloud Deck a user can post their decks in to a conversation via nextcloud talk. The link in metaData can be manipulated to point to a another URL.

Steps To Reproduce:

• 0.) Setup burpsuite to proxy
• 1.) Go to Nextcloud Deck and pick a board
• 2.) Pick any cards, It will open a page on the Top Right there is a 3 dots ( toggle menu i think) Click it press Post to a Conversation
• 3.) Post the card to any conversation ( if you see nothing, Start a conversation to a seperate account)
• 4.) Go to burpsuite and find the request it should be like the request below

POST /ocs/v2.php/apps/spreed/api/v1/chat/9wdc7nta/share HTTP/2

{"objectType":"deck-card","objectId":"9","metaData":"{\"id\":\"9\",\"name\":\"Example Task 2\",\"boardname\":\"Personal\",\"stackname\":\"Doing\",\"link\":\"https://…/apps/deck/#/board/4/card/9\"}","referenceId":"8c7a60c7d1d345a018286613f2faef73ecc596a3"}

• 5.) Send the request to repeater and modify the link and send the request