logo

Database

Reflected cross-site scripting (XSS) In @nextcloud/dialogs

Description

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Impact

The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.

Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.

Patches

The vulnerability has been patched in version 3.1.2. If you need to display HTML in the toast, explicitly pass the options.isHTML config flag.

Workarounds

Make sure no user-supplied input flows into toasts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2021-294382. NVD-2021-294383. OSV-2021-294384. GHSA-g3fq-3v3g-mh325. GCVE-2021-29438

References

1. https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh322. https://www.npmjs.com/package/@nextcloud/dialogs

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.