Vulnerability identifier: #VU46083
Vulnerability risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-79
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
desktop
Other software /
Other software solutions
Vendor: Nextcloud
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.
Mitigation
Install update from vendor's website.
Vulnerable software versions
desktop: 2.0.0 - 2.6.4
External links
http://hackerone.com/reports/685552
http://nextcloud.com/security/advisory/?id=NC-SA-2020-027
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.