CVE-2023-48301 Nextcloud Server HTML injection in search UI when selecting a circle with HTML in the display name

🗓️ 21 Nov 2023 21:26:21Reported by GoogleType

osv

osv🔗 osv.dev👁 15 Views

Vulnerability in Nextcloud Server allows unauthorized link insertion into circle names

Reporter	Title	Published	Views	Family All 51
BDU FSTEC	The vulnerability of cloud-based software for creating and using Nextcloud Server’s data storage system lies in improper input validation during the creation of web pages. This allows attackers to execute cross-site scripting (XSS) attacks.	3 Apr 202400:00	–	bdu_fstec
CNNVD	Nextcloud Security Breach	21 Nov 202300:00	–	cnnvd
CVE	CVE-2023-48301	21 Nov 202321:26	–	cve
Cvelist	CVE-2023-48301 Nextcloud Server HTML injection in search UI when selecting a circle with HTML in the display name	21 Nov 202321:26	–	cvelist
EUVD	EUVD-2023-52361	3 Oct 202520:07	–	euvd
Nextcloud	HTML injection in search UI when selecting a circle with HTML in the display name	21 Nov 202305:27	–	nextcloud
Hacker One	Nextcloud: HTML injection in search UI when selecting a circle with HTML in the display name	15 Oct 202321:41	–	hackerone
NVD	CVE-2023-48301	21 Nov 202322:15	–	nvd
OpenVAS	Nextcloud Server < 25.0.13, 26.x < 26.0.8, 27.x < 27.1.3 Multiple XSS Vulnerabilities (GHSA-wgpw-qqq2-gwv6, GHSA-p7g9-x25m-4h87)	22 Nov 202300:00	–	openvas
Prion	Code injection	21 Nov 202322:15	–	prion

Source	Link
hackerone	www.hackerone.com/reports/2210038
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2023/48xxx/CVE-2023-48301.json
github	www.github.com/nextcloud/security-advisories/security/advisories/GHSA-wgpw-qqq2-gwv6
nvd	www.nvd.nist.gov/vuln/detail/CVE-2023-48301
github	www.github.com/nextcloud/circles/pull/1415

10 Apr 2026 05:04Current

5.1Medium risk

Vulners AI Score5.1

CVSS 3.13.5

EPSS0.00386

nextcloud server vulnerability