Cross-Site Scripting Flaw in Nextcloud Desktop Client
CVE-2020-8189

5.4MEDIUM

Key Information:

Vendor

Nextcloud
Status
Desktop Client
Vendor
CVE Published:
21 August 2020

What is CVE-2020-8189?

The Nextcloud Desktop client version 2.6.4 contains a cross-site scripting vulnerability that arises from improper handling of invalid input during the login process. Attackers can exploit this flaw by presenting HTML content—including local links—through error messages when login attempts fail. This could lead to unauthorized actions or exposure of sensitive user information.

Affected Version(s)

Desktop Client 2.6.5

References

https://hackerone.com/reports/685552
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2020-027
x_refsource_MISC
https://security.gentoo.org/glsa/202009-09
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.