Stored XSS in “bookmarks” application
Platform: ownCloud Server
Versions: 5.0.18, 6.0.6, 7.0.3,
Risk level: Medium
Due to not sanitising all user provided input, the “bookmarks” application shipped with the below mentioned ownCloud versions is vulnerable to a stored Cross-site scripting attack.
The “bookmarks” application is disabled by default.
Abusing this vulnerability requires the user to import a malicious crafted “bookmark file”. However, an attacker can leverage oC-SA-2014-027 to achieve this.
Successful exploitation requires that the victim then clicks on the malicious crafted entry within the bookmarks application.
- ownCloud Server < 7.0.3 (CVE-2014-9042)
- ownCloud Server < 6.0.6 (CVE-2014-9042)
- ownCloud Server < 5.0.18 (CVE-2014-9042)
The issue was caused by not verifying the protocol when importing a bookmark from a “bookmark file”. Therefore it was possible to import links such as
The template system is now verifying whether a bookmark url starts with a supported protocol. If not
http:// will be appended to the URL to avoid exploitability of such issues.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.