Nextcloud server software: Content Spoofing

In Nextcloud the "dir" parameter is vulnerable to content spoofing attack. If anyone puts a valid directory name in dir parameter then it goes that directory other wise it redirects to the home directory (/) By putting `../../` in dir parameter I was able to stop the redirect then I had put some messages after that and that messages reflected with the same given format. So here an attacker can send his messages directly through url. Poc link `http://192.168.0.118/nextcloud/index.php/apps/files/?dir=../../Welcome+to+Nexcloud+You+can+get+pro+account+by+navigating+this+example.com` Thanks.