A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy.
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content-Security-Policy.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq https://hackerone.com/reports/1241460 https://github.com/nextcloud/text/pull/1689 https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00