Due to not sanitising all user provided input, the “documents” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “documents” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.
Successful exploitation requires that the adversary is able to modify a WebODF document and a victim opens the shared document.
ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy; this vulnerability is therefore not exploitable if you use a browser that supports the current CSP standard. You can check at CanIUse.com whether your browser supports our Content-Security-Policy.
The issue was caused by not sanitising a Dojo component in WebODF. These not sanitised parts are now properly sanitised and fixed with WebODF v0.5.5, details can be found at the WebODF changelog.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 5.0.19 | |
owncloud server | lt | 7.0.5 | |
owncloud server | lt | 6.0.7 |