Nextcloud: XSS in Desktop Client via user status and information

Summary:

The Nextcloud Desktop Client application does not properly neutralize the Full Name and Status Message of users before using them.

Steps To Reproduce:

Server Machine:

1. Install the Nextcloud Server application
2. Log into your account
3. Navigate to your profile page
4. Set the Full Name of your user to <img src="https://avatars.githubusercontent.com/u/99037623">
5. Set the Status Message of your user to <img src="https://avatars.githubusercontent.com/u/99037623">

Client Machine:

6. Install the Nextcloud Desktop Client application onto a machine that is running the Windows 10 operating system
7. Log into your account
8. Open the main dialog window of the Nextcloud Desktop Client application
9. Observe that the Full Name and Status Message of your user are treated as HyperText Markup Language

Supporting Material/References:

{F1945608}

Impact

An attacker can inject arbitrary HyperText Markup Language into the Nextcloud Desktop Client application.