< go back to overview

Multiple stored XSS in “contacts” application

Platform: ownCloud Server

Versions: 5.0.19, 6.0.7, 7.0.5,

Date: 3/25/2015

Risk level: Medium


Due to not sanitising all user provided input, the “contacts” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “contacts” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.

Successful exploitation requires that the adversary is able to access the contact group and share contacts with the victim. The victim then has to access the contacts application and edit the maliciously drafted contact.

While ownCloud advises browsers to disable inline JavaScript execution this vulnerability is caused by a eval like construct which is currently allowed in our default Content-Security-Policy, thus this is effectively exploitable in any browser.

Affected Software

  • ownCloud Server < 7.0.5 (CVE-2015-3011)
  • ownCloud Server < 6.0.7 (CVE-2015-3011)
  • ownCloud Server < 5.0.19 (CVE-2015-3011)

Action Taken

The user input is now properly sanitised before provided back to the user. Furthermore, with ownCloud 8.2 the default Content-Security-Policy will forbid any eval like constructs by default as an additional layer of defense.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Hugh Davenport – All The Things Limited (contact@allthethings.co.nz) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.