CVE-2020-8294

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-8294
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8294.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-8294
Downstream
Related
Published
2021-02-03T17:15:16.293Z
Modified
2026-04-10T04:28:23.079685Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
148e875f8edbf2f66d1f9a5d1a13ececc5b4da4d
Introduced
9c63433cde916cd35b0708b398910cbc1cb52315
Fixed
666ad85b63cf29f10377188992774c57b9d1e69f
Introduced
615b994816710a595243d704c9be445f736b4b41
Fixed
96f99a40f5569936f1951f1ccef8ea5fa25b607b
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "18.0.11"
        },
        {
            "introduced": "19.0.0"
        },
        {
            "fixed": "19.0.5"
        },
        {
            "introduced": "20.0.0"
        },
        {
            "fixed": "20.0.2"
        }
    ]
}

Affected versions

v1.*
v1.0.0beta1
v11.*
v11.0.0
v11.0RC2
v12.*
v12.0.0beta1
v12.0.0beta2
v12.0.0beta3
v12.0.0beta4
v13.*
v13.0.0RC1
v13.0.0beta1
v13.0.0beta2
v13.0.0beta3
v13.0.0beta4
v14.*
v14.0.0RC1
v14.0.0RC2
v14.0.0beta1
v14.0.0beta2
v14.0.0beta3
v14.0.0beta4
v15.*
v15.0.0RC1
v15.0.0beta1
v15.0.0beta2
v16.*
v16.0.0RC1
v16.0.0alpha1
v16.0.0beta1
v16.0.0beta2
v16.0.0beta3
v17.*
v17.0.0beta1
v17.0.0beta2
v17.0.0beta3
v17.0.0beta4
v17.0.5RC1
v18.*
v18.0.0
v18.0.0RC1
v18.0.0RC2
v18.0.0beta1
v18.0.0beta2
v18.0.0beta3
v18.0.0beta4
v18.0.1
v18.0.10
v18.0.10RC1
v18.0.10RC2
v18.0.11RC1
v18.0.11RC2
v18.0.1RC1
v18.0.1RC2
v18.0.1RC3
v18.0.2
v18.0.2RC1
v18.0.2RC2
v18.0.4
v18.0.4RC1
v18.0.4RC2
v18.0.5
v18.0.6
v18.0.7
v18.0.7RC1
v18.0.8
v18.0.8RC1
v18.0.8RC2
v18.0.9
v18.0.9RC1
v19.*
v19.0.0
v19.0.1
v19.0.1RC1
v19.0.2
v19.0.2RC1
v19.0.2RC2
v19.0.3
v19.0.3RC1
v19.0.4
v19.0.40RC1
v19.0.4RC2
v19.0.5RC1
v19.0.5RC2
v20.*
v20.0.0
v20.0.1
v20.0.1RC1
v20.0.2RC1
v20.0.2RC2
v3.*
v3.0
v4.*
v4.0.0
v4.0.0RC
v4.0.0RC2
v4.0.0beta
v4.0.1
v4.0.4
v4.0.5
v4.0.6
v4.5.0
v4.5.0RC1
v4.5.0RC2
v4.5.0RC3
v4.5.0beta3
v4.5.0beta4
v5.*
v5.0.0
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0alpha1
v5.0.0beta1
v5.0.0beta2
v6.*
v6.0.0RC1
v6.0.0RC2
v6.0.0alpha2
v6.0.0beta2
v6.0.0beta3
v6.0.0beta4
v6.0.0beta5
v7.*
v7.0.0alpha2
v7.0.0beta1
v8.*
v8.0.0
v8.0.0RC1
v8.0.0RC2
v8.0.0alpha1
v8.0.0alpha2
v8.0.0beta1
v8.0.0beta2
v8.1.0alpha1
v8.1.0alpha2
v8.1.0beta1
v8.1.0beta2
v8.1RC2
v8.2RC1
v8.2beta1
v9.*
v9.0.0beta2
v9.0beta1
v9.1.0beta1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8294.json"