CVE-2021-29438 - OpenCVE

The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nextcloud\/dialogs Project	Nextcloud\/dialogs

Configuration 1 [-]

cpe:2.3:a:nextcloud\/dialogs_project:nextcloud\/dialogs:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32
https://www.npmjs.com/package/%40nextcloud/dialogs

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-04-13T18:40:15

Updated: 2024-08-03T22:02:51.929Z

Reserved: 2021-03-30T00:00:00

Link: CVE-2021-29438

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-04-13T20:15:22.187

Modified: 2023-11-07T03:32:36.087

Link: CVE-2021-29438

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "nextcloud-dialogs", "vendor": "nextcloud", "versions": [{"status": "affected", "version": "< 3.1.2"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-80", "description": "{\"CWE-80\":\"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-04-13T18:40:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40nextcloud/dialogs"}], "source": {"advisory": "GHSA-g3fq-3v3g-mh32", "discovery": "UNKNOWN"}, "title": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-29438", "STATE": "PUBLIC", "TITLE": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "nextcloud-dialogs", "version": {"version_data": [{"version_value": "< 3.1.2"}]}}]}, "vendor_name": "nextcloud"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "{\"CWE-79\":\"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\"}"}]}, {"description": [{"lang": "eng", "value": "{\"CWE-80\":\"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32", "refsource": "CONFIRM", "url": "https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32"}, {"name": "https://www.npmjs.com/package/@nextcloud/dialogs", "refsource": "MISC", "url": "https://www.npmjs.com/package/@nextcloud/dialogs"}]}, "source": {"advisory": "GHSA-g3fq-3v3g-mh32", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:02:51.929Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40nextcloud/dialogs"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-29438", "datePublished": "2021-04-13T18:40:15", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:02:51.929Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud\\/dialogs_project:nextcloud\\/dialogs:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DE179B6C-DD65-4C85-9F8B-DB9CB28A4B5F", "versionEndExcluding": "3.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Nextcloud dialogs library (npm package @nextcloud/dialogs) before 3.1.2 insufficiently escaped text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. The vulnerability has been patched in version 3.1.2 If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag."}, {"lang": "es", "value": "La biblioteca de di\u00e1logos de Nextcloud (paquete npm @nextcloud/dialogs) versiones anteriores a 3.1.2, la entrada de texto con un escape insuficiente se pas\u00f3 a un toast. Si su aplicaci\u00f3n muestra toast con informaci\u00f3n suministrada por un usuario, esto podr\u00eda conllevar a una vulnerabilidad de tipo XSS. La vulnerabilidad ha sido parcheada en la versi\u00f3n 3.1.2. Si necesita mostrar HTML en el toast pase expl\u00edcitamente el flag de configuraci\u00f3n \"options.isHTML\""}], "id": "CVE-2021-29438", "lastModified": "2023-11-07T03:32:36.087", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-04-13T20:15:22.187", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40nextcloud/dialogs"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}