FKIE_CVE-2021-32782

Vulnerability from fkie_nvd - Published: 2021-09-07 20:15 - Updated: 2024-11-21 06:07
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly.
References
security-advisories@github.comhttps://github.com/nextcloud/circles/commit/dbb97a83ccb342c839a54f088aa19b8ba6844b0ePatch, Third Party Advisory
security-advisories@github.comhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9Patch, Third Party Advisory
security-advisories@github.comhttps://hackerone.com/reports/1217606Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/nextcloud/circles/commit/dbb97a83ccb342c839a54f088aa19b8ba6844b0ePatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://hackerone.com/reports/1217606Permissions Required, Third Party Advisory
Impacted products
Vendor Product Version
nextcloud circles *
nextcloud circles *
nextcloud circles *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:circles:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE45116B-2FBC-4582-8DA8-A7F2F422A96A",
              "versionEndExcluding": "0.19.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:circles:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "44019403-A42F-4090-B411-03BE616A95C5",
              "versionEndExcluding": "0.20.10",
              "versionStartIncluding": "0.20.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:nextcloud:circles:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C98B329D-422E-4CFD-9BB6-523D50E5767A",
              "versionEndExcluding": "0.21.3",
              "versionStartIncluding": "0.21.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Circles application is upgraded to 0.21.3, 0.20.10 or 0.19.14 to resolve this issue. As a workaround users may use a browser that has support for Content-Security-Policy. A notable exemption is Internet Explorer which does not support CSP properly."
    },
    {
      "lang": "es",
      "value": "Nextcloud Circles es una red social de c\u00f3digo abierto construida para el ecosistema nextcloud. En las versiones afectadas la aplicaci\u00f3n Nextcloud Circles es susceptible a una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado. Debido a una estricta pol\u00edtica de seguridad de contenidos incluida en Nextcloud, este problema no es explotable en los navegadores modernos que soportan la pol\u00edtica de seguridad de contenidos. Es recomendado actualizar la aplicaci\u00f3n Nextcloud Circles a versiones 0.21.3, 0.20.10 o 0.19.14 para resolver este problema. Como soluci\u00f3n alternativa, los usuarios pueden usar un navegador que sea compatible con Content-Security-Policy. Una excepci\u00f3n notable es Internet Explorer, que no soporta CSP adecuadamente"
    }
  ],
  "id": "CVE-2021-32782",
  "lastModified": "2024-11-21T06:07:43.807",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.3,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-09-07T20:15:07.603",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/circles/commit/dbb97a83ccb342c839a54f088aa19b8ba6844b0e"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1217606"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/circles/commit/dbb97a83ccb342c839a54f088aa19b8ba6844b0e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hgpq-28gj-jrj9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1217606"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.