Vulnerability Details : CVE-2022-39338
user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser.
Vulnerability category: Cross site scripting (XSS)Input validation
Products affected by CVE-2022-39338
- cpe:2.3:a:nextcloud:openid_connect_user_backend:*:*:*:*:*:nextcloud:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-39338
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-39338
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N |
0.9
|
2.5
|
GitHub, Inc. |
CWE ids for CVE-2022-39338
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Primary)
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-39338
-
https://hackerone.com/reports/1687410
HackerOnePermissions Required;Third Party Advisory
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57
Stored XSS via Authorization Endpoint - Safari-Only · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://github.com/nextcloud/user_oidc/pull/496
Check if authorization_endpoint is valid in code flow by julien-nc · Pull Request #496 · nextcloud/user_oidc · GitHubPatch;Third Party Advisory
Jump to