logo

Database

Reflected cross-site scripting (XSS) In nextcloud-vue-collections

Description

Cross-Site Scripting in nextcloud-vue-collections Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code in a victim's browser.

Recommendation

Upgrade to version 0.4.2 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-whv6-rj84-2vh2

References

1. https://github.com/juliushaertl/nextcloud-vue-collections/commit/8ec1fca214f003538cec4137792ede928f25f5832. https://www.npmjs.com/advisories/1442

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.