Lucene search
K

5 matches found

CVE
CVE
added 2021/01/06 8:59 p.m.196 views

CVE-2020-8280

CVE-2020-8280 — Nextcloud Contacts 3.4.0 suffers from a missing file type check that lets an attacker upload SVG files with a PNG extension to trigger cross-site scripting (XSS) when viewing a contact image. The issue is documented across multiple feeds (NVD/NSS, CNVD, Red Hat, OSV, CNVD) and is ...

5.4CVSS5.2AI score0.00634EPSS
CVE
CVE
added 2021/01/06 8:58 p.m.189 views

CVE-2020-8281

Nextcloud Contacts 3.3.0 is affected by a missing file type check that allows uploading SVG files, enabling cross-site scripting (XSS). The issue is documented in the Nextcloud advisory NC-SA-2020-045 and corroborated by CNVD/NVD entries and a related HackerOne report, indicating practical XSS vi...

5.4CVSS5.2AI score0.00621EPSS
CVE
CVE
added 2018/07/05 4:0 p.m.57 views

CVE-2018-3764

In Nextcloud Contacts before version 2.1.2, a missing sanitization of search results in the autocomplete field can cause a stored XSS. The issue affects group names, so only malicious search results crafted by privileged users (admins/group admins) could trigger the issue. Impact is a stored XSS ...

4.8CVSS4.7AI score0.00637EPSS
CVE
CVE
added 2020/07/10 3:48 p.m.54 views

CVE-2020-8181

CVE-2020-8181 affects Nextcloud Contacts 3.2.0. A missing file type check in the avatar upload feature allows uploading arbitrary files, as confirmed by multiple sources (Nextcloud advisory NC-SA-2020-024; Red Hat/CVE mapping; CNVD/NVD entries; HackerOne report). Consequences include potential up...

4.3CVSS4.4AI score0.0079EPSS
CVE
CVE
added 2021/10/25 7:5 p.m.51 views

CVE-2021-39221

CVE-2021-39221 affects the Nextcloud Contacts app before v4.0.3, with a stored XSS vulnerability due to improper validation of client-side data. Exploitation requires a user to right-click a malicious file and open it in a new tab; however, a strict Content-Security-Policy (CSP) in modern browser...

6.4CVSS5.3AI score0.00504EPSS