DOM XSS vulnerability getting reported in nextcloud server 25.0.3.2

ncuser7 · May 4, 2025, 2:25pm

We are currently running Nextcloud Server (version 25.0.3.2) in our environment and recently performed a SAST against the core codebase. The scan flagged XSS Vulnerability :

Multiple DOM-based XSS in core-common.js

File: nextcloud/dist/core-common.js
Context: In the resolveURL() function, the code reads window.location.href and then uses

urlParsingNode.setAttribute('href', href);
href = urlParsingNode.href;

at lines 71153, 71157, 74348, 74352, etc. The scanner classified this as a DOM-XSS risk (taint flags: VALIDATED_OPEN_REDIRECT, WEB, XSS).

Does anyone got similar scan findings?

jtr · May 4, 2025, 4:54pm

v25 reached end-of-support a long time ago. In addition, even within v25 you’re many maintenance releases behind (the last maintenance release was v25.0.13).

Refs:

SysKeeper · May 4, 2025, 5:42pm

Basically what @jtr said above. The version is far from supported and even within the major version its behind the latest version.

In you are looking for support for older versions, I suggest to take a look at our Enterprise offering: Nextcloud Enterprise for enterprises and organizations

ncuser7 · May 12, 2025, 7:12am

Nextcloud has been updated to the latest version, but the issue still persists.

@jtr @SysKeeper