I found a HTML injection vulnerability  flaw in the Nextcloud (and Owncloud) latest version. Through this vulnerability an attacker could manipulate the website. This vulnerability could affect to the logged users. An attacker could send a malicious link (that contains the manipulated URL) to a legitimate user that he is logged in and simulate the login screen to stole the password (phishing), or multiple attacks more, like XSS.
The Nextcloud/Owncloud application contains multiple security headers of HTTP, so, inject scripts or redirect to another websites is difficult, the problem is that not all the browser supports these headers (fortunatelly, the most used browsers yes).
Anyway, all the mitigations are well, but these aren't never-falling. So the solution to this vulnerability is sanitize the output before to deliver the HTML to the final user.
Also, another security flaw is showed, but the impact is less, it is a full path disclosure and it show the full path of the Nextcloud/Owncloud installation.
PoC (Proof of Concept):
I tested it in the last version.
If you need more information, ask to me.