Lucene search
Max_nextcloudH1:2211561HistoryOct 16, 2023 - 3:13 p.m.
Nextcloud: Self XSS when pasting HTML into Text app with Ctrl+Shift+V
2023-10-1615:13:18
max_nextcloud
hackerone.com
16
nextcloud
self xss
html injection
ctrl+shift+v
dom element
vulnerability
xss attack
bug bounty
Summary:
ctrl-shift-v is meant to paste plaintext as is. However it will paste it into a dom elements innerHtml and can thus be used to inject malicious html.
Steps To Reproduce:
- copy “<h1>html</h1>”
- use ctrl-shift-v to paste it into a .md file
- See the heading getting added.
Supporting Material/References:
https://github.com/nextcloud/text/blob/main/src/extensions/Markdown.js#L97
- [attachment / reference]
Impact
If you can trick someone into using ctrl-shift-v to paste content you control you can insert html into the page leading to a possible xss attack.
The html will be inserted into the editors schema - but before that happens it’s already pasted into the innerHtml of a dom element.
Related
cvelist
cvelist
prion
prion
Code injection
2023-11-21 22:15:00
osv
osv
CVE-2023-48302
2023-11-21 22:15:07
nvd
nvd
CVE-2023-48302
2023-11-21 22:15:07
veracode
veracode
Cross Site Scripting (XSS)
2023-11-22 09:56:05
nextcloud
nextcloud
Self XSS when pasting HTML into Text app with Ctrl+Shift+V
2023-11-21 05:24:35
cve
cve
CVE-2023-48302
2023-11-21 22:15:07
openvas
openvas
redos
redos
ROS-20240402-12
2024-04-02 00:00:00