Multiple stored XSS
Platform: ownCloud Server
Risk level: Medium
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via
- the calendar displayname to part.choosecalendar.rowfields.php
- part.choosecalendar.rowfields.shared.php in apps/calendar/templates/
- unspecified vectors to apps/contacts/lib/vcard.php
- ownCloud Server < 4.0.1 (CVE-2012-4395)
It is recommended that all instances are upgraded to ownCloud Server 4.0.1.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.