CVE-2018-3764: XSS
First published: Thu Jul 05 2018(Updated: )
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Contacts | <2.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Nextcloud Contacts vulnerability?
The vulnerability ID for this Nextcloud Contacts vulnerability is CVE-2018-3764.
What is the severity of CVE-2018-3764?
The severity of CVE-2018-3764 is medium with a CVSS score of 4.8.
What is the affected software for CVE-2018-3764?
The affected software for CVE-2018-3764 is Nextcloud Contacts before version 2.1.2.
What is the description of CVE-2018-3764?
CVE-2018-3764 is a vulnerability in Nextcloud Contacts before 2.1.2 that allows a stored XSS attack requiring user interaction.
Is there a fix available for CVE-2018-3764?
Yes, the fix for CVE-2018-3764 is available in Nextcloud Contacts version 2.1.2.
- collector/nvd-index
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/nextcloud
- canonical/nextcloud contacts