Multiple stored XSS in “documents” application
Platform: ownCloud Server
Versions: 5.0.19, 6.0.7, 7.0.5,
Risk level: Medium
Due to not sanitising all user provided input, the “documents” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “documents” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.
Successful exploitation requires that the adversary is able to modify a WebODF document and a victim opens the shared document.
- ownCloud Server < 7.0.5 (CVE-2015-3012)
- ownCloud Server < 6.0.7 (CVE-2015-3012)
- ownCloud Server < 5.0.19 (CVE-2015-3012)
The issue was caused by not sanitising a Dojo component in WebODF. These not sanitised parts are now properly sanitised and fixed with WebODF v0.5.5, details can be found at the WebODF changelog.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Roy Jansen (email@example.com) – Vulnerability discovery and disclosure.
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Further analysis and discovery of other related bugs.