CVE-2021-29438: 
JavaScript vulnerability analysis and mitigation

The Nextcloud dialogs library (npm package @nextcloud/dialogs) before version 3.1.2 contained a cross-site scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on April 13, 2021, and was assigned CVE-2021-29438. The issue affected the toast functionality of the library, where text input was insufficiently escaped when passed to a toast notification (GitHub Advisory, NVD).

The vulnerability stemmed from insufficient escaping of text input that was passed to the toast notification function. When applications displayed toasts with user-supplied input, this could lead to cross-site scripting attacks. The vulnerability was rated with a CVSS v3.1 Base Score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. It's worth noting that Nextcloud Server employs a strict Content Security Policy that helps mitigate the risk of these XSS vulnerabilities (NVD).

If exploited, this vulnerability could allow attackers to execute arbitrary web scripts in the context of the affected application when user-supplied input is displayed in toast notifications. However, the impact was somewhat limited by Nextcloud Server's Content Security Policy, which provides an additional layer of protection against XSS attacks (GitHub Advisory).

The vulnerability was patched in version 3.1.2 of the @nextcloud/dialogs package. For users who need to display HTML in toast notifications, they should explicitly pass the options.isHTML config flag. As a workaround for those unable to upgrade, it's recommended to ensure that no user-supplied input flows into toasts (GitHub Advisory).