CVE-2024-22213: Cross-site Scripting when sending HTML as a comment in the Nextcloud Deck app
First published: Thu Jan 18 2024(Updated: )
Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. In affected versions users could be tricked into executing malicious code that would execute in their browser via HTML sent as a comment. It is recommended that the Nextcloud Deck is upgraded to version 1.9.5 or 1.11.2. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Deck | >=1.9.0<1.9.5 | |
| Nextcloud Deck | >=1.10.0<1.11.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- vendor/nextcloud
- canonical/nextcloud deck
- version/nextcloud deck/1.9.0
- version/nextcloud deck/1.10.0