19th July 2016
Risk level: Low
CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
CWE: Cross-Site Scripting Using MIME Type Mismatch (CWE-209)
HackerOne report: 146278
The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.
While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.
The file is now delivered with a content-type of "application/octet-stream".
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory: