XSS vulnerability in bookmarks
Platform: ownCloud Server
Versions: 4.0.10, 4.5.5,
Risk level: Medium
A cross-site scripting (XSS) vulnerability in ownCloud before 4.5.5 and 4.0.10 allow remote attackers to inject arbitrary web script or HTML via the PATH data to index.php in apps/bookmark/
- ownCloud Server < 4.5.5 (CVE-2013-5666)
- ownCloud Server < 4.0.10 (CVE-2013-5666)
It is recommended that all instances are upgraded to ownCloud Server 4.5.5 or 4.0.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Yuji Kosuga – Vulnerability discovery and disclosure.