Bug 1871760 (CVE-2020-8189)

Summary:	CVE-2020-8189 nextcloud: XSS on the login attempt
Product:	[Other] Security Response	Reporter:	Dhananjay Arunesh <darunesh>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	claudiorodrigo, comzeradd, germano.massullo, gwync, ichavero, james.hogarth, jan.public, mailinglists, nb, nonamedotc, taaem
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-08-24 09:15:27 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1871761, 1871762, 1871763, 1871764
Bug Blocks:

Description Dhananjay Arunesh 2020-08-24 08:27:56 UTC

A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed to present any html (including local links) when responding with invalid data on the login attempt.

References:
https://hackerone.com/reports/685552

Comment 1 Dhananjay Arunesh 2020-08-24 08:28:44 UTC

External References:

https://nextcloud.com/security/advisory/?id=NC-SA-2020-027

Comment 2 Dhananjay Arunesh 2020-08-24 08:29:07 UTC

Created nextcloud tracking bugs for this issue:

Affects: epel-7 [bug 1871763]
Affects: fedora-all [bug 1871761]


Created nextcloud-client tracking bugs for this issue:

Affects: epel-7 [bug 1871764]
Affects: fedora-all [bug 1871762]

Comment 3 Product Security DevOps Team 2020-08-24 09:15:27 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.