< go back to overview

Multiple stored XSS in “documents” application

Platform: ownCloud Server

Versions: 5.0.19, 6.0.7, 7.0.5,

Date: 3/25/2015

Risk level: Medium


Due to not sanitising all user provided input, the “documents” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “documents” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.

Successful exploitation requires that the adversary is able to modify a WebODF document and a victim opens the shared document.

ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy; this vulnerability is therefore not exploitable if you use a browser that supports the current CSP standard. You can check at CanIUse.com whether your browser supports our Content-Security-Policy.

Affected Software

  • ownCloud Server < 7.0.5 (CVE-2015-3012)
  • ownCloud Server < 6.0.7 (CVE-2015-3012)
  • ownCloud Server < 5.0.19 (CVE-2015-3012)

Action Taken

The issue was caused by not sanitising a Dojo component in WebODF. These not sanitised parts are now properly sanitised and fixed with WebODF v0.5.5, details can be found at the WebODF changelog.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Roy Jansen (rvahax@gmail.com) – Vulnerability discovery and disclosure.
  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.com) – Further analysis and discovery of other related bugs.

Share this