CVE-2021-32733 log

Source
Severity Low
Remote Yes
Type Cross-site scripting
Description
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy.
Group Package Affected Fixed Severity Status Ticket
AVG-2144 nextcloud 21.0.2-1 21.0.3-1 High Fixed
Date Advisory Group Package Severity Type
14 Jul 2021 ASA-202107-22 AVG-2144 nextcloud High multiple issues
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
https://hackerone.com/reports/1241460
https://github.com/nextcloud/text/pull/1689
https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00