ownCloud server 8.1.1Information Exposure Through Directory Listing in the file scanner
Calendar export: Authorization Bypass Through User-Controlled Key
ownCloud desktop 1.8.2Improper validation of certificates when using self-signed certificates
ownCloud mobile iOS 3.4.4Improper validation of certificates within the iOS application
Credentials potentially leaked to other configured ownCloud instance
XSS Vulnerability in MediaElement.js (oC-SA-2013-017)
19th April 2013
Risk level: High
This vulnerability exists in the bundled 3rdparty plugin “MediaElement.js”, “MediaElement.js” released version 2.11.2 which addresses the problem.
- ownCloud Server < 5.0.5 (CVE-2013-1967)
- ownCloud Server < 4.5.10 (CVE-2013-1967)
It is recommended that all instances are upgraded to ownCloud Server 5.0.5 or 4.5.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Malte Batram - Vulnerability discovery and disclosure.