Security Advisory

Back to advisories

XSS Vulnerability in MediaElement.js (oC-SA-2013-017)

19th April 2013

Risk level: High

Description

A cross-site scripting (XSS) vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL.

This vulnerability exists in the bundled 3rdparty plugin “MediaElement.js”, “MediaElement.js” released version 2.11.2 which addresses the problem.

Affected Software

  • ownCloud Server < 5.0.5 (CVE-2013-1967)
  • ownCloud Server < 4.5.10 (CVE-2013-1967)

Action Taken

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Malte Batram - () - Vulnerability discovery and disclosure.