Vulnerability Details CVE-2018-3763
In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.6%
CVSS Severity
CVSS v3 Score 4.8
CVSS v2 Score 3.5
References
Products affected by CVE-2018-3763
-
cpe:2.3:a:nextcloud:calendar:-
-
cpe:2.3:a:nextcloud:calendar:1.0
-
cpe:2.3:a:nextcloud:calendar:1.1
-
cpe:2.3:a:nextcloud:calendar:1.2
-
cpe:2.3:a:nextcloud:calendar:1.2.1
-
cpe:2.3:a:nextcloud:calendar:1.2.2
-
cpe:2.3:a:nextcloud:calendar:1.3.
-
cpe:2.3:a:nextcloud:calendar:1.3.0
-
cpe:2.3:a:nextcloud:calendar:1.3.1
-
cpe:2.3:a:nextcloud:calendar:1.3.2
-
cpe:2.3:a:nextcloud:calendar:1.4.0
-
cpe:2.3:a:nextcloud:calendar:1.4.1
-
cpe:2.3:a:nextcloud:calendar:1.5.0
-
cpe:2.3:a:nextcloud:calendar:1.5.1
-
cpe:2.3:a:nextcloud:calendar:1.5.2
-
cpe:2.3:a:nextcloud:calendar:1.5.3
-
cpe:2.3:a:nextcloud:calendar:1.5.4
-
cpe:2.3:a:nextcloud:calendar:1.5.5
-
cpe:2.3:a:nextcloud:calendar:1.5.6
-
cpe:2.3:a:nextcloud:calendar:1.6.0