10th October 2016
Risk level: Medium
CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
HackerOne report: 165686
The gallery app was not properly sanitizing exception messages from the Nextcloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability.
Error messages are now properly sanitized.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory: