Security Advisory

Stored XSS in "gallery" application (NC-SA-2016-001)

19th July 2016

Risk level: Medium

CVSS v3 Base Score: 6.4 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N)

CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

HackerOne report: 145355

Description

Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack.To exploit this vulnerability an authenticated attacker has to share a folder with someone else, get them to open the shared folder in the Gallery app and open the sharing window there. Since Nextcloud employs a strict Content-Security-Policy this vulnerability is only exploitable in browsers not supporting Content-Security-Policy. You can check at caniuse.com whether your browser supports CSP.

Affected Software

• Nextcloud Server < 9.0.52 (CVE-2016-7419)
• gallery/6933d27afe518967bd1b60e6a7eacd88288929fc

Action Taken

The user input is now properly sanitised before provided back to the user.

Resolution

It is recommended that all instances are upgraded to Nextcloud 9.0.52.

Acknowledgements

The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Frans Rosen - Detectify - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.