Reflected XSS in OCS provider discovery
Platform: ownCloud Server
Versions: 7.0.12, 8.0.10, 8.1.5, 8.2.2,
Risk level: Low
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
A Cross-site scripting (XSS) vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting.
Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7, Microsoft Edge)
- ownCloud Server < 8.2.2 (CVE-2016-1498)
- ownCloud Server < 8.1.5 (CVE-2016-1498)
- ownCloud Server < 8.0.10 (CVE-2016-1498)
- ownCloud Server < 7.0.12 (CVE-2016-1498)
The vulnerable component is now properly sanitizing the output.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.