Neurotic Programmer Masquerade
    Severity: high

    Cross-Site Scripting



    Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code in a victim's browser.


    Upgrade to version 0.4.2 or later.


    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Dec 19th, 2019
    2. reported

      Reported by Julius Härtl
      Dec 19th, 2019