Nextcloud Cross-Site Scripting Vulnerability in PDF Viewer Application

A cross-site scripting (XSS) vulnerability has been identified in Nextcloud versions prior to 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1. The vulnerability exists in the 'files_pdfviewer' application, which uses an outdated version of PDF.js susceptible to CVE-2024-4367. Attackers can execute arbitrary JavaScript in the context of a user's browser by crafting a malicious PDF file and exploiting the 'viewer.html' component of the PDF viewer app. This issue arises because Nextcloud inadvertently exposes executable example code that can be accessed without authorization.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute malicious JavaScript in the context of an affected user’s browser. This could lead to unauthorized access to the user's files on Nextcloud.

Reproduction

To reproduce this vulnerability, upload a PDF file that exploits CVE-2024-4367 to a Nextcloud instance. Then, create a shareable link for the uploaded PDF. Construct a URL that includes the 'viewer.html' file from the 'files_pdfviewer' application, appending the shareable link to the URL. When this URL is accessed in a browser, the cross-site scripting vulnerability is triggered, executing the malicious JavaScript.

Remediation

Users can update to Nextcloud versions 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, or 32.0.1, all of which include the necessary fix. Alternatively, the 'viewer.html' file can be removed or denylisted from the web server.