Server: Multiple XSS vulnerabilities

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions allow remote attackers to inject arbitrary web script or HTML via

• the “site_name” and “site_url” POST parameters to setsites.php in /apps/external/ajax/ (CVE-2013-0297)
  • Commits: e0140a (stable45), 1fbb89a (stable4)
  • Risk: Low
  • Note: Successful exploitation of this stored XSS requires the “external” app to be enabled (disabled by default) and administrator privileges.
• the group input field to settings.php (CVE-2013-0307)
  • Commits: e2faa92 (stable45), 57f40b2 (stable4)
  • Risk: Low
  • Note: Successful exploitation of this DOM based self XSS requires administrator privileges.

Multiple cross-site scripting (XSS) vulnerability in ownCloud 4.5.6 and all prior versions (except 4.0.x) allow remote attackers to inject arbitrary web script or HTML via

• the import of a specially crafted iCalendar file via the calendar application (CVE-2013-0298)
  • Commits: 6608da2 (stable45)
  • Risk: High
  • Note: Successful exploitation of this stored XSS requires the “calendar” app to be enabled (enabled by default), an attacker may be able to share this crafted event with other users.
• the “dir” and “file” GET parameter to viewer.php in /apps/files_pdfviewer/ (CVE-2013-0298)
  • Commits: 04cbec7 (stable45)
  • Risk: Medium
  • Note: Successful exploitation of this reflected XSS requires the “files_pdfviewer” app to be enabled (enabled by default).
• the “mountpoint” POST parameter to addMountPoint.php in /apps/files_external/ (CVE-2013-0298)
  • Commits: d885959 (stable45)
  • Risk: Low
  • Note: Successful exploitation of this reflected XSS requires the “files_external” app to be enabled (disabled by default).

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0