Main Vulnerability Database Vulnerabilities #VU30391

Cross-site scripting in Nextcloud Server - CVE-2019-15619

Published: February 4, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30391

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-15619

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server

Detailed vulnerability description

The vulnerability allows a remote privileged user to read and manipulate data.

Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project.

How to mitigate CVE-2019-15619

Install update from vendor's website.

Sources

https://hackerone.com/reports/662204
https://nextcloud.com/security/advisory/?id=NC-SA-2020-008
https://nextcloud.com/security/advisory/?id=NC-SA-2020-009
https://nextcloud.com/security/advisory/?id=NC-SA-2020-010

Cross-site scripting in Nextcloud Server - CVE-2019-15619

Detailed vulnerability description

How to mitigate CVE-2019-15619

Sources

Please verify you're human