{"containers": {"cna": {"affected": [{"product": "security-advisories", "vendor": "nextcloud", "versions": [{"status": "affected", "version": "< 4.0.3"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-25T19:05:10.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/contacts/pull/2407"}], "source": {"advisory": "GHSA-j6cx-mxqf-f9vc", "discovery": "UNKNOWN"}, "title": "XSS in Contacts", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39221", "STATE": "PUBLIC", "TITLE": "XSS in Contacts"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "security-advisories", "version": {"version_data": [{"version_value": "< 4.0.3"}]}}]}, "vendor_name": "nextcloud"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}, {"description": [{"lang": "eng", "value": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc", "refsource": "CONFIRM", "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc"}, {"name": "https://github.com/nextcloud/contacts/pull/2407", "refsource": "MISC", "url": "https://github.com/nextcloud/contacts/pull/2407"}]}, "source": {"advisory": "GHSA-j6cx-mxqf-f9vc", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:58:18.235Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/contacts/pull/2407"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-39221", "datePublished": "2021-10-25T19:05:10.000Z", "dateReserved": "2021-08-16T00:00:00.000Z", "dateUpdated": "2024-08-04T01:58:18.235Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F0C097C-939E-4579-B11F-4AF88ED678A3", "versionEndExcluding": "4.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy. It is recommended that the Nextcloud Contacts application is upgraded to 4.0.3. As a workaround, one may use a browser that has support for Content-Security-Policy."}, {"lang": "es", "value": "Nextcloud es una plataforma de productividad de c\u00f3digo abierto y auto-alojada. La aplicaci\u00f3n Nextcloud Contacts versiones anteriores a 4.0.3, era vulnerable a una vulnerabilidad de tipo Cross-Site Scripting (XSS) almacenado. Para una explotaci\u00f3n, un usuario tendr\u00eda que hacer clic con el bot\u00f3n derecho del rat\u00f3n en un archivo malicioso y abrir el archivo en una nueva pesta\u00f1a. Debido a la estricta pol\u00edtica de seguridad de contenidos incluida en Nextcloud, este problema no es explotable en los navegadores modernos que soportan la Pol\u00edtica de Seguridad de Contenidos. Es recomendado actualizar la aplicaci\u00f3n Nextcloud Contacts a la versi\u00f3n 4.0.3. Como soluci\u00f3n, puede ser usado un navegador compatible con una Pol\u00edtica de Seguridad de Contenidos"}], "id": "CVE-2021-39221", "lastModified": "2024-11-21T06:18:56.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-25T19:15:09.730", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/contacts/pull/2407"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/contacts/pull/2407"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j6cx-mxqf-f9vc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}