CVE-2022-39338 LOW

CVE-2022-39338: Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc

Vendor Nextcloud

Product security-advisories

Weakness CWE-20 · Input validation

Published November 25, 2022

Last update April 23, 2025

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

user_oidc is an OpenID Connect user backend for Nextcloud. Versions prior to 1.2.1 did not properly validate discovery urls which may lead to a stored cross site scripting attack vector. The impact is limited due to the restrictive CSP that is applied on this endpoint. Additionally this vulnerability has only been shown to be exploitable in the Safari web browser. This issue has been addressed in version 1.2.1. Users are advised to upgrade. Users unable to upgrade should urge their users to avoid using the Safari web browser.

Key dates

02Disclosure timeline

November 25, 2022 CVE published

April 23, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-39338 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2022-39338: Stored cross site scripting (XSS) vulnerability via Authorization Endpoint in user_oidc

01Description

02Disclosure timeline

03References

04Related CVE