nextcloud, owncloud
2017-10-23 14:15
2017-06-16 19:21
2017-05-10 23:45
2017-04-14 10:19
2017-04-01 21:42
2017-03-28 21:03


Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information



Release Package Reason
precise nextcloud DNE
owncloud ignored
precise/esm nextcloud DNE
owncloud DNE
trusty nextcloud DNE
vivid/stable-phone-overlay nextcloud DNE
owncloud DNE
vivid/ubuntu-core nextcloud DNE
owncloud DNE
xenial nextcloud DNE
owncloud DNE
yakkety nextcloud DNE
owncloud DNE
zesty nextcloud DNE
owncloud DNE
artful nextcloud DNE
owncloud DNE
devel nextcloud DNE
owncloud DNE

Needs Triage

Release Package Reason
upstream nextcloud needs-triage
owncloud needs-triage
trusty owncloud needs-triage