CVE-2021-32733
XSS in Nextcloud Text application
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, use a browser that has support for Content-Security-Policy.
Nextcloud Text es una aplicación de edición de documentos colaborativos que usa Markdown. Una vulnerabilidad de tipo cross-site scripting se presenta en las versiones anteriores a 19.0.13, 20.0.11 y 21.0.3. La aplicación Nextcloud Text suministrada con el servidor Nextcloud usaba un Content-Type "text/html" al servir archivos a usuarios. Debido a la estricta política de seguridad de contenidos incluida en Nextcloud, este problema no se puede explotar en los navegadores modernos que soportan la política de seguridad de contenidos. El problema se ha corregido en las versiones 19.0.13, 20.0.11 y 21.0.3. Como solución alternativa, use un navegador compatible con Content-Security-Policy
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-12 CVE Published
- 2024-03-27 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/text/pull/1689 | 2021-07-14 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 19.0.13 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 19.0.13" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 20.0.0 < 20.0.11 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 20.0.0 < 20.0.11" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 21.0.0 < 21.0.3 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.3" | - |
Affected
|