Contextualizing Security Report Results
- Bootstrap Version 3.3.x
The string "Bootstrap v3.3.x" appears in some bundled JavaScript files because it is part of a copyright comment in a SCSS file in a dependency. However, Bootstrap v3.3.x JavaScript code is not used anywhere, only some SCSS rules copied over that are not vulnerable.
- unsafe-inline Content Security Policy
Nextcloud is not using the unsafe-inline CSP for scripts, only for styles. It is an accepted risk on the side of Nextcloud, and considered a low risk. The unsafe-inline CSP is considered a Technical Debt and will disappear as the code base moves forward towards a rewrite in Vue for the frontend.
- User Enumeration on various endpoints
There are various endpoints that might show up in a security report that are susceptible to User Enumeration. This is an accepted risk on the side of Nextcloud, and considered a low risk. Due to the collaborative nature of Nextcloud, such as the possibility of federating with another Nextcloud instance, User Enumeration is even a necessity.
More details on the Threat Model for Nextcloud can be found at https://nextcloud.com/security/threat-model/
Subscriber exclusive content
A Nextcloud Enterprise Subscription provides unlimited access to our knowledge base articles and direct access to Nextcloud engineers.