Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions allow remote attackers to inject arbitrary web script or HTML via
- the “site_name” and “site_url” POST parameters to setsites.php in /apps/external/ajax/ (CVE-2013-0297)
- Commits: e0140a (stable45), 1fbb89a (stable4)
- Risk: Low
- Note: Successful exploitation of this stored XSS requires the “external” app to be enabled (disabled by default) and administrator privileges.
- the group input field to settings.php (CVE-2013-0307)
- Commits: e2faa92 (stable45), 57f40b2 (stable4)
- Risk: Low
- Note: Successful exploitation of this DOM based self XSS requires administrator privileges.
Multiple cross-site scripting (XSS) vulnerability in ownCloud 4.5.6 and all prior versions (except 4.0.x) allow remote attackers to inject arbitrary web script or HTML via
- the import of a specially crafted iCalendar file via the calendar application (CVE-2013-0298)
- Commits: 6608da2 (stable45)
- Risk: High
- Note: Successful exploitation of this stored XSS requires the “calendar” app to be enabled (enabled by default), an attacker may be able to share this crafted event with other users.
- the “dir” and “file” GET parameter to viewer.php in /apps/files_pdfviewer/ (CVE-2013-0298)
- Commits: 04cbec7 (stable45)
- Risk: Medium
- Note: Successful exploitation of this reflected XSS requires the “files_pdfviewer” app to be enabled (enabled by default).
- the “mountpoint” POST parameter to addMountPoint.php in /apps/files_external/ (CVE-2013-0298)
- Commits: d885959 (stable45)
- Risk: Low
- Note: Successful exploitation of this reflected XSS requires the “files_external” app to be enabled (disabled by default).
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0