diff options
Diffstat (limited to 'advisories/nc-sa-2017-008.php')
-rw-r--r-- | advisories/nc-sa-2017-008.php | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/advisories/nc-sa-2017-008.php b/advisories/nc-sa-2017-008.php index baf40e7a..f79c9e4d 100644 --- a/advisories/nc-sa-2017-008.php +++ b/advisories/nc-sa-2017-008.php @@ -13,9 +13,7 @@ <p>CWE: <a href="https://cwe.mitre.org/data/definitions/79.html">Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)</a></p> <p>HackerOne report: <a href="https://hackerone.com/reports/216812">216812</a></p> <h3>Description</h3> - <p><p>Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.</p> -<p>Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p> -</p> + <p>Inadequate escaping of error messages leads to XSS vulnerabilities in multiple components.Note that Nextcloud employs a strict Content-Security-Policy preventing exploitation of this XSS issue on modern web browsers.</p> <h3>Affected Software</h3> <ul> <li>Nextcloud Server < <strong>11.0.3</strong> (CVE-2017-0891)</li> @@ -24,8 +22,9 @@ </ul> <h3>Action Taken</h3> - <p><p>Error messages are now properly escaped.</p> -</p> + <p>Error messages are now properly escaped.</p> + <h3>Resolution</h3> + <p>It is recommended that all instances are upgraded to Nextcloud 9.0.58, 10.0.5 or 11.0.3.</p> <h3>Acknowledgements</h3> <p>The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:</p> <ul> |