A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a 'javascript:' URL in markdown format.
{
"cpe": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "18.0.11"
},
{
"introduced": "19.0.0"
},
{
"fixed": "19.0.5"
},
{
"introduced": "20.0.0"
},
{
"fixed": "20.0.2"
}
],
"source": "CPE_RANGE"
}