CVE-2021-39222

15.11.2021, 19:15

Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Talk application was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Talk application is upgraded to patched versions 10.0.7, 10.1.4, 11.1.2, 11.2.0 or 12.0.0. As a workaround, use a browser that has support for Content-Security-Policy.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
GitHub_M	CNA	6.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Vendor	Product	Version
nextcloud	talk	𝑥 < 10.0.7
nextcloud	talk	10.1.0 ≤ 𝑥 < 10.1.4
nextcloud	talk	11.0.0 ≤ 𝑥 < 11.1.2

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhxq-f4vg-jw5g

https://github.com/nextcloud/spreed/pull/542

https://hackerone.com/reports/1135481

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhxq-f4vg-jw5g

https://github.com/nextcloud/spreed/pull/542

https://hackerone.com/reports/1135481