From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Incomplete sanitization of SVG files allows to embed other images into previews - Publisher: nickvergessen - Vulnerability ID: GHSA-5m5g-hw8c-2236 - Release Date: Yesterday 2. Affected Versions: - Nextcloud Server: - >= 27.0.0, >= 28.0.0, >= 29.0.0 - Nextcloud Enterprise: - >= 24.0.0, >= 25.0.0, >= 26.0.0, >= 27.0.0, >= 28.0.0, >= 29.0.0 3. Fixed Versions: - Nextcloud Server: - 27.1.10, 28.0.6, 29.0.1 - Nextcloud Enterprise: - 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6, 29.0.1 4. Vulnerability Severity: - Severity: Moderate - CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Confidentiality: High - Integrity: None - Availability: None 5. Impact: - Description: After an administrator enables the default-disabled SVG preview provider, a malicious user can upload a manipulated SVG file that references paths to other files. If such files exist, the preview will display those files. 6. Remediation Recommendations: - Nextcloud Server: Upgrade to 27.1.10, 28.0.6, or 29.0.1 - Nextcloud Enterprise: Upgrade to 24.0.12.15, 25.0.13.10, 26.0.13.4, 27.1.10, 28.0.6, or 29.0.1 7. Workarounds: - Disable SVG file previews 8. Reference Links: - HackerOne - Pull Request 9. Additional Information: - Create a post on nextcloud/security-advisories - Clients: Open a support ticket at portal.nextcloud.com This information helps understand the nature, scope of impact, and how to remediate or workaround the vulnerability.