nextcloud-desktop is vulnerable to Cross-site Scripting (XSS) attacks. Missing sanitisation on qml labels which are used for basic HTML elements such as strong
, em
and head
lines in the UI of the desktop client, allows an attacker to inject and execute malicious javascript on victim’s browser.