Cross-site Scripting Vulnerability in Nextcloud Server 18.0.2 Due to Outdated Library
CVE-2020-8155

5.4MEDIUM

Key Information:

Vendor

Nextcloud
Status
Nextcloud Server
Vendor
CVE Published:
12 May 2020

What is CVE-2020-8155?

A security flaw has been identified in the Nextcloud Server 18.0.2 due to the utilization of an outdated third-party library in its Files PDF viewer. This vulnerability allows attackers to exploit Cross-site scripting (XSS) when a user opens a specially crafted malicious PDF document. This can lead to the execution of arbitrary scripts in the context of the user's session, potentially compromising sensitive information and user interactions.

Affected Version(s)

Nextcloud Server 18.0.3

References

https://nextcloud.com/security/advisory/?id=NC-SA-2020-019
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.