Nextcloud is one of the most popular open-source self-hosted cloud services out there. Like many modern platforms, Nextcloud supports logging in with multiple identity providers using OpenID Connect. The user_oidc app helps users connect external OpenID identity providers (like Google or Microsoft) to their Nextcloud. But like any software, vulnerabilities can crop up—even in features intended to boost security.
In 2022, a researcher discovered a potential stored cross-site scripting (XSS) vulnerability in version 1.2. and earlier of user_oidc. The official identifier for this issue is CVE-2022-39338. Let’s break down how this bug worked, how to protect yourself, and why you really shouldn’t browse Nextcloud with Safari until you update!
The Root of the Bug: Insufficient Validation
When setting up an OpenID Connect provider, you need to specify a discovery URL. This is a special address that contains information about the identity provider’s endpoints. The bug in user_oidc was simple: it did not properly validate discovery URLs provided by administrators or users.
This meant that someone could sneak a maliciously crafted discovery URL into Nextcloud’s settings. When other users visited the page that displayed this discovery info, some parts were rendered in a way that could execute hostile JavaScript code—what’s known as stored XSS.
Suppose an attacker sets the discovery URL to
https://openid.example.com/.well-known/openid-configuration"><script>alert('XSS!')</script>;
When the page loads for an admin or user in the Nextcloud UI, Nextcloud’s frontend might reflect this value somewhere on the page. Most modern web browsers would refuse to execute the injected script thanks to strict Content Security Policy (CSP) headers. But, for reasons unique to Safari’s rendering engine and quirks in how it parses pages and CSP rules, Safari could be tricked into executing the script anyway.
Technical Example: Vulnerable Code
Here's a simplified example that demonstrates how something similar could happen if sanitization is missing:
// Example: Rendering the discovery URL in PHP Twig template
<?= htmlspecialchars($discoveryUrl, ENT_QUOTES, 'UTF-8') ?>
If htmlspecialchars() or similar sanitization isn’t applied, a dangerous value like
foo"><script>alert('hello')</script>
could break out of the HTML attribute and insert raw JavaScript.
To exploit this XSS
1. Malicious admin or privileged user sets the discovery URL in user_oidc configuration to contain JavaScript payload (e.g., "><script>alert('pwned')</script>).
2. Any other user (using Safari and only Safari) views the configuration page or any area where the discovery URL is rendered.
3. JavaScript code is executed in that user’s browser. This could steal session cookies or perform actions as the victim user.
Because of Nextcloud’s strict CSP, other browsers block this attack. Only Safari, due to its CSP handling, can be abused here.
Impact: Why It’s “Limited” but Still Dangerous
- Restricted Endpoint: The attack is only possible on a narrow set of pages in the Nextcloud user_oidc app where the discovery URL is visible.
- Good CSP: Nextcloud enforces a tight Content Security Policy, so many common XSS tricks don’t work.
- Safari Only: Chrome, Firefox, and Edge were not vulnerable due to their stricter CSP enforcement.
Still, any stored XSS is a potential foothold for attackers, especially if an administrator uses Safari.
What to do if you run Nextcloud with user_oidc plugin
- Update Immediately: The vulnerability is fixed in user_oidc 1.2.1.
- Stop Using Safari Temporarily: Until you update, advise all admins and users to use browsers other than Safari when accessing Nextcloud user_oidc configuration pages.
Official References
- Nextcloud Security Advisory (GitHub)
- user_oidc Release Notes
- CVE Record: CVE-2022-39338
- OpenID Connect Discovery Spec
Summary
CVE-2022-39338 is a good reminder that small validation bugs around places where user-provided URLs are handled can lead to unexpected security issues—even stored XSS. Nextcloud users should upgrade user_oidc immediately and review their security hygiene, especially if you or your admins use Safari.
Stay safe, keep your Nextcloud stack up to date, and always assume every input needs to be validated.
> If you have questions, report vulnerabilities, or need further advice, check out Nextcloud’s Security Guidelines.
Timeline
Published on: 11/25/2022 19:15:00 UTC
Last modified on: 12/01/2022 20:43:00 UTC