{"id":"CVE-2021-41178","details":"Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.","modified":"2026-04-12T02:00:50.796960Z","published":"2021-10-25T22:15:07.913Z","related":["GHSA-jp9c-vpr3-m5rf","openSUSE-SU-2021:1602-1"],"references":[{"type":"ADVISORY","url":"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202208-17"},{"type":"REPORT","url":"https://hackerone.com/reports/1302155"},{"type":"FIX","url":"https://github.com/nextcloud/server/pull/28726"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/server","events":[{"introduced":"9c053c66607a5c261bbf27a3db442addd9b5b6ee"},{"fixed":"43a0a9a3213588d5f6fc88a0e52df6b8a0b9b9ec"},{"introduced":"bd555dbe8568b2509bd7d82fabbe38d76c86afbe"},{"fixed":"64e55fdd4a9ab38d5ad5e8fe457b2912e43efead"},{"introduced":"1eea64f2c3eb0e110391c24830cea5f8d9c3e6a1"},{"fixed":"07e359b7de671a81a7baad701d4496a9f871a770"}],"database_specific":{"extracted_events":[{"introduced":"20.0.3"},{"fixed":"20.0.13"},{"introduced":"21.0.1"},{"fixed":"21.0.5"},{"introduced":"22.1.1"},{"fixed":"22.2.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:nextcloud:server:*:*:*:*:*:*:*:*"}}],"versions":["v20.0.10","v20.0.10RC1","v20.0.11","v20.0.11rc1","v20.0.13rc1","v20.0.3","v20.0.4","v20.0.5","v20.0.5RC1","v20.0.5RC2","v20.0.6","v20.0.6RC1","v20.0.7","v20.0.7RC1","v20.0.8","v20.0.8RC1","v20.0.9","v20.0.9RC1","v21.0.1","v21.0.2","v21.0.2RC1","v21.0.3","v21.0.3rc1","v21.0.4","v21.0.4rc1","v21.0.5rc1","v22.1.1","v22.2.0rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41178.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}