CVE-2021-41178
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.
EPSS 0.87% · 75.5th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| nextcloud | server | 20.0.3, 21.0.1, 22.1.1 |
| nextcloud | security-advisories | *, 20.0.13, * |
Exploit Intelligence
Timeline
- Oct 25, 2021 CVE Published
- Oct 26, 2021 EPSS Score
- Dec 21, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 15, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Apr 12, 2022 EPSS Score
- Jun 7, 2022 EPSS Score
- Aug 3, 2022 EPSS Score
- Nov 23, 2022 EPSS Score
- Dec 29, 2022 EPSS Score
- Jan 19, 2023 EPSS Score
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72 advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fj39-4qx4-m3f2 advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vxcm-g5v4-637f advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7hvh-rc6f-px23 advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g36v-67gv-h757 advisory
- https://github.com/nextcloud/server/pull/28726 url
- https://hackerone.com/reports/1302155 url
- GLSA-202208-17 vendor-advisory