Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via
- file names to apps/user_ldap/settings.php
- url or title parameter to apps/bookmarks/ajax/editBookmark.php
- tag or page parameter to apps/bookmarks/ajax/updateList.php
- identity to apps/user_openid/settings.php
- stack name in apps/gallery/lib/tiles.php
- root parameter to apps/gallery/templates/index.php
- calendar displayname in apps/calendar/templates/part.import.php
- calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php
- title, location, or description parameter in apps/calendar/lib/object.php
- certain vectors in core/js/multiselect.js
- artist, album, or title comments parameter in apps/media/lib_scanner.php
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0