CVE-2021-39221: 
NixOS vulnerability analysis and mitigation

The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and disclosed on October 25, 2021, affecting the Contacts component of the Nextcloud open-source, self-hosted productivity platform (Nextcloud Advisory, NVD).

The vulnerability allowed for stored Cross-Site Scripting (XSS) attacks. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. The vulnerability was classified with CWE-434 and received a low severity rating due to the mitigating factors present in the system, particularly the strict Content-Security-Policy shipped with Nextcloud which prevented exploitation on modern browsers supporting CSP (Nextcloud Advisory).

The impact of this vulnerability was limited due to Nextcloud's built-in security measures. Due to the strict Content-Security-Policy (CSP) shipped with Nextcloud, this issue was not exploitable on modern browsers that support Content-Security-Policy. However, browsers without proper CSP support, such as Internet Explorer, remained vulnerable (Nextcloud Advisory).

The primary mitigation was to upgrade the Nextcloud Contacts application to version 4.0.3. As a workaround, users could use a browser that has support for Content-Security-Policy. A list of supported browsers could be found on caniuse.com. It was noted that Internet Explorer was a notable exception as it did not support CSP properly (Nextcloud Advisory).