| Severity |
|
| Remote |
|
| Type |
| - |
Unknown |
| + |
Cross-site scripting |
|
| Description |
| + |
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. |
|
| References |
| + |
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq |
| + |
https://hackerone.com/reports/1241460 |
| + |
https://github.com/nextcloud/text/pull/1689 |
| + |
https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00 |
|
| Notes |
|