Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneMeliodas19H1:968232
HistoryAug 27, 2020 - 3:14 a.m.

Nextcloud: Stored XSS in collabora via user name

2020-08-2703:14:13
meliodas19
hackerone.com
114
JSON

Affected: collabora and nextcloud

Ubuntu 18.04.5 LTS
Nextcloud 19.0.1 snap version
collabora (CODE)

The name of the user is displayed when him joins to edit the document allowing the attacker trigger xss.

Impact

  • Set the name of the attacker account to <img src>
  • Create a new document → share the document with admin or another victim → the document will appear automatically in the files of the victim as shared
  • The attacker opens the document and waits until the victim also opens the document when opening it the payload is executed

{F965228}

JSON