Stored XSS in “activity” application
Platform: ownCloud Server
Versions: 7.0.5, 8.0.4,
Risk level: Low
CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Due to not sanitising all user provided input, the “activity” application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The “activity” application is enabled by default in the ownCloud Community Edition and Enterprise Edition.
Successful exploitation requires that the adversary is able to create files containing the
" character. This character is forbidden by default in any current ownCloud version except 8.1.0 RC1, thus an actual exploitation requires that the user has mounted an external storage within ownCloud where a user can create files with such characters. Alternatively an adversary may discover a way to circumvent the input validation. (ownCloud is not aware of a bypass of to the input validation) – Furthermore the attacker must be able to share a folder containing the files with malicious filename with the victim.
Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution. Thus this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7)
- ownCloud Server < 7.0.5 (CVE-2015-5953)
- ownCloud Server < 8.0.4 (CVE-2015-5953)
The output is now properly sanitized.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.