Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczZnEtM3YzZy1taDMy
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs
Impact
The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.
Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.
Patches
The vulnerability has been patched in version 3.1.2. If you need to display HTML in the toast, explicitly pass the options.isHTML
config flag.
Workarounds
Make sure no user-supplied input flows into toasts.
Permalink: https://github.com/advisories/GHSA-g3fq-3v3g-mh32JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczZnEtM3YzZy1taDMy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago
CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-g3fq-3v3g-mh32, CVE-2021-29438
References:
- https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32
- https://www.npmjs.com/package/@nextcloud/dialogs
- https://nvd.nist.gov/vuln/detail/CVE-2021-29438
- https://github.com/advisories/GHSA-g3fq-3v3g-mh32
Blast Radius: 11.9
Affected Packages
npm:@nextcloud/dialogs
Dependent packages: 6Dependent repositories: 380
Downloads: 37,090 last month
Affected Version Ranges: < 3.1.2
Fixed in: 3.1.2
All affected versions: 0.1.0, 0.1.1, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 2.0.0, 2.0.1, 3.0.0, 3.1.0, 3.1.1
All unaffected versions: 3.1.2, 3.1.3, 3.1.4, 3.2.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.0, 5.3.1