// For flags

CVE-2021-39221

XSS in Contacts

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy.

Nextcloud es una plataforma de productividad de código abierto y auto-alojada. La aplicación Nextcloud Contacts versiones anteriores a 4.0.3, era vulnerable a una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado. Para una explotación, un usuario tendría que hacer clic con el botón derecho del ratón en un archivo malicioso y abrir el archivo en una nueva pestaña. Debido a la estricta política de seguridad de contenidos incluida en Nextcloud, este problema no es explotable en los navegadores modernos que soportan la Política de Seguridad de Contenidos. Es recomendado actualizar la aplicación Nextcloud Contacts a la versión 4.0.3. Como solución, puede ser usado un navegador compatible con una Política de Seguridad de Contenidos

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-16 CVE Reserved
  • 2021-10-25 CVE Published
  • 2023-05-18 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nextcloud
Search vendor "Nextcloud"
 Contacts
Search vendor "Nextcloud" for product "Contacts"
 < 4.0.3
Search vendor "Nextcloud" for product "Contacts" and version " < 4.0.3"
-
Affected