5 matches found
CVE-2020-8280
CVE-2020-8280 — Nextcloud Contacts 3.4.0 suffers from a missing file type check that lets an attacker upload SVG files with a PNG extension to trigger cross-site scripting (XSS) when viewing a contact image. The issue is documented across multiple feeds (NVD/NSS, CNVD, Red Hat, OSV, CNVD) and is ...
CVE-2020-8281
Nextcloud Contacts 3.3.0 is affected by a missing file type check that allows uploading SVG files, enabling cross-site scripting (XSS). The issue is documented in the Nextcloud advisory NC-SA-2020-045 and corroborated by CNVD/NVD entries and a related HackerOne report, indicating practical XSS vi...
CVE-2018-3764
In Nextcloud Contacts before version 2.1.2, a missing sanitization of search results in the autocomplete field can cause a stored XSS. The issue affects group names, so only malicious search results crafted by privileged users (admins/group admins) could trigger the issue. Impact is a stored XSS ...
CVE-2020-8181
CVE-2020-8181 affects Nextcloud Contacts 3.2.0. A missing file type check in the avatar upload feature allows uploading arbitrary files, as confirmed by multiple sources (Nextcloud advisory NC-SA-2020-024; Red Hat/CVE mapping; CNVD/NVD entries; HackerOne report). Consequences include potential up...
CVE-2021-39221
CVE-2021-39221 affects the Nextcloud Contacts app before v4.0.3, with a stored XSS vulnerability due to improper validation of client-side data. Exploitation requires a user to right-click a malicious file and open it in a new tab; however, a strict Content-Security-Policy (CSP) in modern browser...