Description
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/server/pull/28726
Permissions Required x_refsource_misc
https://hackerone.com/reports/1302155
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-17
Scores
CVSS v3
8.8
EPSS
0.0087
EPSS Percentile
75.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
CWE-434
CWE-23
Status
published
Products (1)
nextcloud/server
20.0.3 - 20.0.13
Published
Oct 25, 2021
Tracked Since
Feb 18, 2026