Headline
CVE-2022-39338: Stored XSS via Authorization Endpoint - Safari-Only
user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser.
Package
user_oidc (Nextcloud)
Affected versions
< 1.2.1
Patched versions
1.2.1
Description
Impact
Stored XSS. The impact is limited due to the restrictive CSP that is applied on this endpoint.
Patches
Patched in v1.2.1
Workarounds
Avoid using the Safari web browser.
References
https://hackerone.com/reports/1687410
nextcloud/user_oidc#496
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com
Severity
Low
3.5
/ 10
CVSS base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
CVE ID
CVE-2022-39338
Weaknesses
CWE-79
Credits
- lauritzh