ownCloud ServerLogin bypass when using user_ldap due to unauthenticated bindsLocal Path Disclosure when using Asset PipelinePotential local file disclosureBypass of shared files password protection in "documents" applicationACLs not properly enforced in "documents" application
XSS Vulnerability in MediaElement.js (oC-SA-2013-017)
19th April 2013
Risk level: High
This vulnerability exists in the bundled 3rdparty plugin “MediaElement.js”, “MediaElement.js” released version 2.11.2 which addresses the problem.
- ownCloud Server < 5.0.5 (CVE-2013-1967)
- ownCloud Server < 4.5.10 (CVE-2013-1967)
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Malte Batram - () - Vulnerability discovery and disclosure.