Описание
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.
Ссылки
- PatchThird Party Advisory
- PatchThird Party Advisory
- Permissions RequiredThird Party Advisory
- PatchThird Party Advisory
- PatchThird Party Advisory
- Permissions RequiredThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.19.14 (исключая)Версия от 0.20.0 (включая) до 0.20.10 (исключая)Версия от 0.21.0 (включая) до 0.21.3 (исключая)
Одно из
cpe:2.3:a:nextcloud:circles:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:circles:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:circles:*:*:*:*:*:*:*:*
EPSS
Процентиль: 58%
0.00358
Низкий
5.8 Medium
CVSS3
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
CWE-79
EPSS
Процентиль: 58%
0.00358
Низкий
5.8 Medium
CVSS3
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-79
CWE-79