CVE-2021-32733

Опубликовано: 12 июл. 2021

Источник: nvd

CVSS3: 4.8

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a text/html Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, use a browser that has support for Content-Security-Policy.

Ссылки

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
Third Party Advisory
https://github.com/nextcloud/text/pull/1689
Patch
Third Party Advisory
https://hackerone.com/reports/1241460
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
Third Party Advisory
https://github.com/nextcloud/text/pull/1689
Patch
Third Party Advisory
https://hackerone.com/reports/1241460
Permissions Required

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Версия до 19.0.13 (исключая)

cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Версия от 20.0.0 (включая) до 20.0.11 (исключая)

cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Версия от 21.0.0 (включая) до 21.0.3 (исключая)

EPSS

Процентиль: 39%

0.00168

Низкий

4.8 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

EPSS

Процентиль: 39%

0.00168

Низкий

4.8 Medium

CVSS3

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79