ownCloud: apps.owncloud.com: Stored XSS in profile page

ID H1:84371
Type hackerone
Reporter enderun07
Modified 2015-10-11T07:05:31


Hi Owncloud,

I've found A XSS vulnerability on apps.owncloud.com

When I add a comment to add any comment field,My profile page shows my latest comment

When I add a comment starts with "><img src=x onerror=confirm(2)> the page show this comment

so XSS alert occurs in profile page.

Even if a victim is not authenticated,vulnerability occurs on page