Server: Stored XSS in "bookmarks" application

Due to not sanitising all user provided input, the “bookmarks” application shipped with the below mentioned ownCloud versions is vulnerable to a stored Cross-site scripting attack.
The “bookmarks” application is disabled by default.

Abusing this vulnerability requires the user to import a malicious crafted “bookmark file”. However, an attacker can leverage oC-SA-2014-027 to achieve this.

Successful exploitation requires that the victim then clicks on the malicious crafted entry within the bookmarks application.

ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy; this vulnerability is therefore not exploitable if you use a browser that supports the current CSP standard.

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0