Cross-Site Scripting in Nextcloud Circles

Vulnerability

The Nextcloud Circles application, versions prior to 0.21.3, 0.20.10, and 0.19.14, is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. The bug resides in the file browsing feature where circle names are rendered without proper HTML escaping. The commit dbb97a83ccb342c839a54f088aa19b8ba6844b0e [1] adds an escapeHTML function to sanitize the circle name output. Due to the strict Content-Security-Policy (CSP) shipped with Nextcloud, this issue is not exploitable on modern browsers that support CSP [2].

Exploitation

An attacker must have the ability to create or modify a circle with a malicious name containing JavaScript payloads. When a victim user browses shared files within the Circles interface, the unsanitized circle name is rendered, executing the attacker's script. However, exploitation is only possible on browsers that do not properly enforce CSP, such as Internet Explorer [2]. No additional authentication or user interaction beyond browsing the shared files is required.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's Nextcloud session. This could lead to information disclosure, session hijacking, or unauthorized actions performed on behalf of the victim. The impact is limited to browsers without CSP support, significantly reducing the attack surface on modern browsers.

Mitigation

The vulnerability is fixed in Nextcloud Circles versions 0.21.3, 0.20.10, and 0.19.14 [2]. Users should upgrade to one of these versions. As a workaround, users can employ a browser that fully supports Content-Security-Policy, which prevents script execution even if the stored XSS payload is present. Internet Explorer is notably exempt from this protection [2].