Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc

Vulnerability

The user_oidc app for Nextcloud versions prior to 1.2.1 did not properly validate OpenID Connect discovery URLs. This allows an attacker to inject arbitrary JavaScript into the authorization endpoint URL, leading to a stored cross-site scripting (XSS) vulnerability. The impact is limited due to the restrictive Content Security Policy (CSP) applied on the endpoint. [1][2]

Exploitation

An attacker must be able to configure a malicious OpenID Connect provider or manipulate the discovery URL. The vulnerability is only exploitable in the Safari web browser due to its handling of certain URL schemes. No authentication is required if the attacker can trick an administrator into adding a malicious provider. The injected script is stored and executed when a user visits the affected page. [2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the Nextcloud instance. This could lead to data theft, session hijacking, or other malicious actions. The impact is partially mitigated by the restrictive CSP, but Safari's behavior bypasses some protections. [2]

Mitigation

The vulnerability is fixed in user_oidc version 1.2.1, released on 2022-11-25. Users are advised to upgrade immediately. For those unable to upgrade, a workaround is to urge users to avoid using the Safari web browser. [1][2]