Server: Stored XSS in "activity" application

Due to not sanitising all user provided input, the “activity” application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The “activity” application is enabled by default in the ownCloud Community Edition and Enterprise Edition.

Successful exploitation requires that the adversary is able to create files containing the " character. This character is forbidden by default in any current ownCloud version except 8.1.0 RC1, thus an actual exploitation requires that the user has mounted an external storage within ownCloud where a user can create files with such characters. Alternatively an adversary may discover a way to circumvent the input validation. (ownCloud is not aware of a bypass of to the input validation) - Furthermore the attacker must be able to share a folder containing the files with malicious filename with the victim.

Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution. Thus this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7)

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0