< go back to overview

Log pollution can potentially lead to local HTML injection

Platform: ownCloud Server

Versions: 8.1.9, 8.2.7, 9.0.4,

Date: 7/19/2016

Risk level: Low

CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CWE: Information Exposure Through an Error Message (CWE-209)

HackerOne report: 146278


The “download log” functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as HTML document. Thus any injected data in the log would be executed.

While the document would only be executed locally (thus on another scope) we have decided to fix this to protect our users.

Affected Software

Action Taken

The file is now delivered with a content-type of “application/octet-stream”.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Alejo Popovici – Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.