CVE-2018-3763

MEDIUM

Nextcloud Calendar < 1.5.8 and 1.6.1 - Stored Cross-Site Scripting in Autocomplete Group Name Search

Title source: llm
STIX 2.1

Description

In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.

References (1)

Core 1
Core References
Broken Link, Vendor Advisory x_refsource_confirm
https://nextcloud.com/security/advisory/?id=nc-sa-2018-004

Scores

CVSS v3 4.8
EPSS 0.0031
EPSS Percentile 53.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
nextcloud/calendar 1.6.0
nextcloud/calendar < 1.5.8
Published Jul 05, 2018
Tracked Since Feb 18, 2026