Lucene search

K
NextcloudContacts

6 matches found

CVE
CVE
added 2021/01/06 9:15 p.m.182 views

CVE-2020-8280

A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.

5.4CVSS5.2AI score0.00217EPSS
CVE
CVE
added 2021/01/06 9:15 p.m.178 views

CVE-2020-8281

A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.

5.4CVSS5.2AI score0.00217EPSS
CVE
CVE
added 2023/05/30 5:15 a.m.69 views

CVE-2023-33182

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It i...

4.3CVSS4.3AI score0.00154EPSS
CVE
CVE
added 2018/07/05 4:29 p.m.46 views

CVE-2018-3764

In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or g...

4.8CVSS4.7AI score0.00348EPSS
CVE
CVE
added 2020/07/10 4:15 p.m.41 views

CVE-2020-8181

A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

4.3CVSS4.4AI score0.00219EPSS
CVE
CVE
added 2021/10/25 7:15 p.m.40 views

CVE-2021-39221

Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due t...

6.4CVSS5.3AI score0.00282EPSS