Neurotic Programmer Masquerade
    Severity: high

    Cross-Site Scripting

    nextcloud-vue-collections

    Overview

    Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code in a victim's browser.

    Remediation

    Upgrade to version 0.4.2 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Dec 19th, 2019
    2. reported

      Reported by Julius Härtl
      Dec 19th, 2019