Home

Description

Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.

PUBLISHED Reserved 2025-09-19 | Published 2025-12-04 | Updated 2025-12-04 | Assigner mitre




MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

CWE-749 Exposed Dangerous Method or Function

Product status

Default status
unaffected

Any version before 22.2.10.33
affected

23 (custom) before 23.0.12.29
affected

24 (custom) before 24.0.12.28
affected

25 (custom) before 25.0.13.23
affected

26 (custom) before 26.0.13.20
affected

27 (custom) before 27.1.11.20
affected

28 (custom) before 28.0.14.11
affected

29 (custom) before 29.0.16.8
affected

30 (custom) before 30.0.17
affected

31 (custom) before 31.0.10
affected

32 (custom) before 32.0.1
affected

References

nextcloud.com

www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/

github.com/...sories/security/advisories/GHSA-24wp-p865-7j4r

cve.org (CVE-2025-59788)

nvd.nist.gov (CVE-2025-59788)