Stored XSS in CardDAV image export
Platform: ownCloud Server
Versions: 9.0.6, 9.1.2,
Risk level: Medium
CVSS v3 Base Score: 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
HackerOne report: 163338
The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
Note:ownCloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don’t support Content Security Policy.
- ownCloud Server < 9.1.2 (CVE-2016-????)
- ownCloud Server < 9.0.6 (CVE-2016-????)
The mimetype of the exported image is now compared with a whitelist as well as download disposition headers have been set on the response.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: