Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5 and 4.0.10 and all prior versions allow remote attackers to inject arbitrary web script or HTML via
- the GET parameters to resetpassword.php in core/lostpassword/templates/ (CVE-2013-0201)
- Commits: c05c8ab (stable45), 4e2b834 (stable4)
- Risk: Medium
- Note: This is a reflected XSS, which can be only abused using Internet Explorer 9 and prior.
- the mime parameter to mimeicon.php in apps/files/ajax/ (CVE-2013-0201)
- Commits: b8e0309 (stable45), f603454 (stable4)
- Risk: Medium
- Note: This is a reflected XSS, which only affects ownCloud versions hosted by Windows.
- the token parameter to sharing.php in apps/gallery/ (CVE-2013-0201)
- Commits: 34ac2f5 (stable45), f71f0ad (stable4)
- Risk: Medium
- Note: This is a reflected XSS, for a successful exploitation the “gallery” app needs to be enabled.
- the action parameter to sharing.php in core/ajax/ (CVE-2013-0202)
- Commits: fb334f3 (stable45), 306d5ee (stable4)
- Risk: Low
- Note: This is a self XSS, for a successful exploitation the user needs to enter malicious Javascript on his own.
- the POST parameters to new.php in apps/calendar/ajax/event/ (CVE-2013-0203)
- Commits: 9e6ba80e (stable45), 708bd (stable4)
- Risk: High
- Note: This is a stored XSS, for a successful exploitation the “calendar” app needs to be enabled. An authenticated remote attacker may be able to share this crafted event with other users.
- the url parameter to addBookmark.php in apps/bookmarks/ajax/ (CVE-2013-0203)
- Commits: 6aba1e8 (stable45), 3f37063 (stable4)
- Risk: Low
- Note: This is a stored XSS, for a successful exploitation the “bookmarks” app needs to be enabled.
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0