Lucene search
NextcloudGHSA-MG7W-X9FM-9WWCHistoryJan 18, 2024 - 8:37 a.m.
Self XSS when sending HTML as a comment in the Deck app
2024-01-1808:37:00
github.com
10
html comment vulnerability
browser code execution
nextcloud deck upgrade
hackerone
pullrequest
security advisories discussion
support ticket
CVSS3
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
6.8
Confidence
High
EPSS
0.001
Percentile
20.0%
Description
Impact
Users could be tricked into executing malicious code that would execute in their browser.
Patches
It is recommended that the Nextcloud Deck is upgraded to 1.9.5 or 1.11.2
Workarounds
- No workaround available
References
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at portal.nextcloud.com
Related
hackerone
hackerone
Nextcloud: Self XSS when sending HTML as a comment in the Deck app
2023-07-09 13:22:14
cvelist
cvelist
osv
osv
CVE-2024-22213
2024-01-18 20:15:08
prion
prion
Design/Logic Flaw
2024-01-18 20:15:00
nvd
nvd
CVE-2024-22213
2024-01-18 20:15:08
cve
cve
CVE-2024-22213
2024-01-18 20:15:08
CVSS3
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
AI Score
6.8
Confidence
High
EPSS
0.001
Percentile
20.0%
Related for GHSA-MG7W-X9FM-9WWC