XSS in search dialogue
Platform: ownCloud Server
Versions: 9.1.6,
Date: 5/31/2017
Risk level: Low
CVSS v3 Base Score: 2.6 (CVSS:AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N)
CWE: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)a (CWE-79)
Description
Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue.
Affected Software
- ownCloud Server < 10.0.2 (CVE-2017-9338)
- ownCloud Server < 9.1.6 (CVE-2017-9338)
- ownCloud Server < 9.0.10 (CVE-2017-9338)
- ownCloud Server < 8.2.12 (CVE-2017-9338)
Action Taken
Escape output
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Ahsan Khan – Vulnerability discovery and disclosure.
This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com