CVE-2021-32733

low-risk
Published 2021-07-12

Nextcloud Text is a collaborative document editing application that uses Markdown. A cross-site scripting vulnerability is present in versions prior to 19.0.13, 20.0.11, and 21.0.3. The Nextcloud Text application shipped with Nextcloud server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, use a browser that has support for Content-Security-Policy.

Do I need to act?

-
0.17% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Affected Vendors

Nextcloud

References (6)

Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-j...
Patch https://github.com/nextcloud/text/pull/1689
Permissions Required https://hackerone.com/reports/1241460
Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-j...
Patch https://github.com/nextcloud/text/pull/1689
Permissions Required https://hackerone.com/reports/1241460
21
/ 100
low-risk
Severity 15/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal