Severity: high

Cross-Site Scripting

nextcloud-vue-collections

Overview

Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code in a victim's browser.

Remediation

Upgrade to version 0.4.2 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Dec 19th, 2019
  2. reported

    Reported by Julius Härtl
    Dec 19th, 2019