#DOM XSS vulnerability in search dialogue (NC-SA-2017-007)
Risk level: Low**CVSS v3 Base Score:**2.6 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)CWE: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)
#Description
Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.
#Affected Software
#Action Taken
The content is now properly escaped, furthermore for Nextcloud 12 we have hardened jQuery to prevent such CSP bypasses.
#Acknowledgements
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory: