The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.
Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.
The vulnerability has been patched in version 3.1.2. If you need to display HTML in the toast, explicitly pass the options.isHTML
config flag.
Make sure no user-supplied input flows into toasts.
CPE | Name | Operator | Version |
---|---|---|---|
@nextcloud/dialogs | lt | 3.1.2 |