Severity: high

Cross-Site Scripting



Versions of nextcloud-vue-collections prior to 0.4.2 are vulnerable to Cross-Site Scripting (XSS). The v-tooltip component has an insecure defaultHTML configuration that allows arbitrary JavaScript to be injected in the tooltip of a collection item. This allows attackers to execute arbitrary code in a victim's browser.


Upgrade to version 0.4.2 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Dec 19th, 2019
  2. reported

    Reported by Julius Härtl
    Dec 19th, 2019