Server: Multiple stored XSS in "contacts" application

Due to not sanitising all user provided input, the “contacts” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “contacts” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.

Successful exploitation requires that the adversary is able to access the contact group and share contacts with the victim. The victim then has to access the contacts application and edit the maliciously drafted contact.

While ownCloud advises browsers to disable inline JavaScript execution this vulnerability is caused by a eval like construct which is currently allowed in our default Content-Security-Policy, thus this is effectively exploitable in any browser.

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0