Nextcloud Server and Server Enterprise Content Security Policy Bypass Vulnerability Allowing Cross-Site Scripting via SVG Files

A cross-site scripting vulnerability has been identified in Nextcloud Server and Nextcloud Server Enterprise versions 31.0.0 through 31.0.11 and 32.0.0 through 32.0.2. The issue arises from a lack of proper sanitization, which allows malicious users to bypass the content security policy. This can occur when a user is tricked into viewing an uploaded SVG file outside of the Nextcloud web interface.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload an SVG file containing malicious scripts to a Nextcloud server. Then, trick a user into viewing the SVG file outside of the Nextcloud web interface. The injected script will execute in the user's browser, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade Nextcloud Server to version 31.0.12 or 32.0.3. Nextcloud Enterprise Server users should upgrade to version 31.0.12 or 32.0.3.