CVE-2021-29438 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in

Description

### Impact The Nextcloud dialogs library before 3.1.2 did insufficiently escape text input passed to a toast. If your application displays toasts with user-supplied input, this could lead to a XSS vulnerability. _Note_: Nextcloud Server employs a strict Content Security Policy that mitigates the risk of these XSS vulnerabilities. ### Patches The vulnerability has been patched in version 3.1.2. If you need to display HTML in the toast, explicitly pass the `options.isHTML` config flag. ### Workarounds Make sure no user-supplied input flows into toasts.

How to fix CVE-2021-29438

To remediate CVE-2021-29438, upgrade the affected package to a fixed version below.

—upgrade to 3.1.2 or later

Is CVE-2021-29438 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29438
WEBgithub.com/nextcloud/nextcloud-dialogs/security/advisories/GHSA-g3fq-3v3g-mh32
WEBwww.npmjs.com/package/@nextcloud/dialogs