< go back to overview

Multiple XSS

Platform: ownCloud Server

Versions: 5.0.16, 6.0.3,

Date: 5/24/2013

Risk level: Medium


Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors.

ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable if you use a browser that fully supports the current CSP standard.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3832, CVE-2014-3833)
  • ownCloud Server < 5.0.16 (CVE-2014-3833)

Action Taken

ownCloud offers the functions p() which encodes potential dangerous input using `htmlspecialchars()`. We have reviewed whether the potential insecure pendant print_unescaped() was used in other places and replaced unneeded occurrences with the safe variant.

This review helped us to discover vulnerabilities in the following components.


  • Gallery (stored) (CVE-2014-3833)
  • ownCloud core (stored + reflected) (CVE-2014-3833)
  • Documents (stored) (CVE-2014-3832)


  • Gallery (stored) (CVE-2014-3833)
  • ownCloud core (stored + reflected) (CVE-2014-3833)


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.