HTML injection with AutoComplete suggestions
State Resolved (Closed)
Disclosed publicly 2018-08-10T09:41:28.528Z
Reported To
Weakness Cross-site Scripting (XSS) - Generic
Bounty
Collapse


Timeline
submitted a report to Nextcloud .
2018-07-18T13:45:00.816Z
  1. As user1 set your displayname to <a href="https://nextcloud.com">Name</a>
  2. As user2 autocomplete the name in the comments input (or Talk chat input)
  3. Click on the user name you just autocompleted

User2 is redirected to https://nextcloud.com

Only works with HTML, not with script

Impact

User1 can trick user2 to render any html

Regards,
Frans

  • 0 attachments:
Activities::Comment
2018-07-18T13:45:01.293Z
Thanks a lot for reporting this potential issue back to us! Our security team will take a look at this issue as soon as possible. We will reply to your report within 72 hours, usually much faster. For obvious reasons we'd like to ask you to not disclose this issue to any other party.


nickvergessen Activities::BugTriaged
2018-07-18T13:45:24.385Z


nickvergessen Activities::BugResolved
2018-07-24T06:34:32.276Z
Fixed in Nextcloud 13.0.5 and Talk 3.2.5


Activities::NotEligibleForBounty
2018-07-24T06:35:55.512Z
As an internal finding this does not qualify for a bounty


nickvergessen Activities::AgreedOnGoingPublic
2018-07-24T06:36:47.400Z


rullzer Activities::AgreedOnGoingPublic
2018-08-10T09:41:28.427Z


rullzer Activities::ReportBecamePublic
2018-08-10T09:41:28.572Z