CVE-2019-15619

MEDIUM

Nextcloud Deck < 0.6.6 - XSS

Title source: rule

Description

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.

References (4)

[Permissions Required] https://hackerone.com/reports/662204

[Vendor Advisory] https://nextcloud.com/security/advisory/?id=NC-SA-2020-008

[Vendor Advisory] https://nextcloud.com/security/advisory/?id=NC-SA-2020-009

[Vendor Advisory] https://nextcloud.com/security/advisory/?id=NC-SA-2020-010

Scores

CVSS v3 4.8

EPSS 0.0025

EPSS Percentile 48.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-79

Status published

Affected Products (3)

nextcloud/deck < 0.6.6

nextcloud/nextcloud_server < 16.0.4

nextcloud/talk < 6.0.4

Timeline

Published Feb 04, 2020

Tracked Since Feb 18, 2026