Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczZnEtM3YzZy1taDMy

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Impact

The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability.

Note: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities.

Patches

The vulnerability has been patched in version 3.1.2. If you need to display HTML in the toast, explicitly pass the options.isHTML config flag.

Workarounds

Make sure no user-supplied input flows into toasts.

Permalink: https://github.com/advisories/GHSA-g3fq-3v3g-mh32
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWczZnEtM3YzZy1taDMy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: over 1 year ago

CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-g3fq-3v3g-mh32, CVE-2021-29438
References:

Repository: https://github.com/nextcloud/nextcloud-dialogs
Blast Radius: 11.9

Affected Packages

npm:@nextcloud/dialogs

Dependent packages: 6
Dependent repositories: 380
Downloads: 37,090 last month
Affected Version Ranges: < 3.1.2
Fixed in: 3.1.2
All affected versions: 0.1.0, 0.1.1, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 2.0.0, 2.0.1, 3.0.0, 3.1.0, 3.1.1
All unaffected versions: 3.1.2, 3.1.3, 3.1.4, 3.2.0, 4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.0, 5.3.1