Multiple XSS vulnerabilities
Platform: ownCloud Server
Versions: 4.0.9, 4.5.1,
Risk level: Medium
CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
HackerOne report: 215410
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.0 allow remote attackers to inject arbitrary web script or HTML via
- the filename to to versions.js in apps/files_versions/js/
- the filename to filelist.js in apps/files/js/
- the event title to fullcalendar.js in 3rdparty/fullcalendar/js/
- ownCloud Server < 4.5.1 (CVE-2012-5605)
- ownCloud Server < 4.0.9 CVE-2012-5605)
It is recommended that all instances are upgraded to ownCloud Server 4.5.1 or 4.0.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Shai Rod – Vulnerability discovery and disclosure.