CVE-2020-8189 — Vulnetix

CVE-2020-8189 PUBLISHED

A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.

EPSS 0.62% · 70.6th percentile

Risk Scores

EPSS Score

0.62%

70.6th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:20.04:LTS	nextcloud-desktop	2.6.1-1, 2.6.1-2, 2.6.2-1

Exploit Intelligence

XSS in desktop client via invalid server address on login form (hackerone)
XSS in desktop client via invalid server address on login form (hackerone)
XSS in desktop client via invalid server address on login form (hackerone)
https://nextcloud.com/security/advisory/?id=NC-SA-2020-027 (circl)
GLSA-202009-09 (circl)
https://hackerone.com/reports/685552 (canonical)

Timeline

CVE Published
Aug 17, 2020 PoC Published
Apr 14, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Apr 1, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Mar 17, 2025 EPSS Score
Mar 22, 2025 EPSS Score
Mar 23, 2025 EPSS Score
Mar 27, 2025 EPSS Score
Mar 28, 2025 EPSS Score
Mar 30, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2020-8189 third-party-advisory
https://nextcloud.com/security/advisory/?id=NC-SA-2020-027 third-party-advisory
https://hackerone.com/reports/685552 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-8189 third-party-advisory

Open in Interactive Console →