DescriptionCross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs835086

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
owncloudsource(unstable)(not affected)


- owncloud <not-affected> (Vulnerable code introduced later)
up to version which was removed, not included, as the vulnerable code was
introduced later in a migration of the Gallery app to a new sharing endpoint
where a parameter changed from an interger to a string value, and that value
not beeing sanitized.

Search for package or bug name: Reporting problems