Multiple stored XSS in “contacts” application
Platform: ownCloud Server
Versions: 5.0.19, 6.0.7, 7.0.5,
Risk level: Medium
Due to not sanitising all user provided input, the “contacts” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “contacts” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.
Successful exploitation requires that the adversary is able to access the contact group and share contacts with the victim. The victim then has to access the contacts application and edit the maliciously drafted contact.
eval like construct which is currently allowed in our default Content-Security-Policy, thus this is effectively exploitable in any browser.
- ownCloud Server < 7.0.5 (CVE-2015-3011)
- ownCloud Server < 6.0.7 (CVE-2015-3011)
- ownCloud Server < 5.0.19 (CVE-2015-3011)
The user input is now properly sanitised before provided back to the user. Furthermore, with ownCloud 8.2 the default Content-Security-Policy will forbid any
eval like constructs by default as an additional layer of defense.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Hugh Davenport – All The Things Limited (firstname.lastname@example.org) – Vulnerability discovery and disclosure.