Cross site scripting

2021-09-0720:15:00

PRIOn knowledge base

www.prio-n.com

0.001 Low

EPSS

Percentile

26.0%

JSON

Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.

CPENameOperatorVersion
circlesge0.20.0
circleslt0.20.10
circleslt0.19.14
circlesge0.21.0
circleslt0.21.3

Name	Operator	Version
circles	ge	0.20.0
circles	lt	0.20.10
circles	lt	0.19.14
circles	ge	0.21.0
circles	lt	0.21.3

References

github.com/nextcloud/circles/commit/dbb97a83ccb342c839a54f088aa19b8ba6844b0e

github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9

hackerone.com/reports/1217606

0.001 Low

EPSS

Percentile

26.0%

JSON

Related for PRION:CVE-2021-32782