Nextcloud: XSS in desktop client via invalid server address on login form

Team!

I have found this vulnerability that in my time would be called “cross zone” but at the moment I don’t know.

The problem is found in the latest version of “nextcloud.exe” for your windows version.

The problem occurs with the initial screen where you ask to connect to a website.

Apparently when you put an invalid URI that generates some type of response code like 403, it is reported in a small window, as if it were an alert box, not in the main.

This “alert box” visualizes the response and to my impression (that’s why I said the cross zone) has a little more permissions than the internet explorer.

For example, if the response code has an <s> test</s> it will interpret it as IE does.

That’s fine, it would only be an html injection.

The problem, for example, is that it allows you to run a file like the calculator locally without any confirmation.

This vector works : <a href>CALC.EXE</a>

In my opinion, response code errors are a problem and must be controlled by the application.

For the demonstration use the burp.

But basically any personal site where the response code building could be controlled could exploit it.

I attach a video to make everything clearer.

Impact

The impact is that you can run local files without authorization (of the application) in a context where you should warn.

It should be filtered so as not to disturb that it is a vector.