Security Advisory

Back to advisories

Multiple XSS (oC-SA-2014-010)

24th May 2014

Risk level: Medium

Description

Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors.

ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable if you use a browser that fully supports the current CSP standard.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3832, CVE-2014-3833)
  • ownCloud Server < 5.0.16 (CVE-2014-3833)

Action Taken

ownCloud offers the functions p() which encodes potential dangerous input using `htmlspecialchars()`. We have reviewed whether the potential insecure pendant print_unescaped() was used in other places and replaced unneeded occurrences with the safe variant.

This review helped us to discover vulnerabilities in the following components.

stable6
  • Gallery (stored) (CVE-2014-3833)
  • ownCloud core (stored + reflected) (CVE-2014-3833)
  • Documents (stored) (CVE-2014-3832)
stable5
  • Gallery (stored) (CVE-2014-3833)
  • ownCloud core (stored + reflected) (CVE-2014-3833)

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - ownCloud Inc. (lukas@owncloud.org) - Vulnerability discovery and disclosure.