Roy Jansen ([email protected]) – Vulnerability discovery and disclosure., Lukas Reschke – ownCloud Inc. ([email protected]) – Further analysis and discovery of other related bugs.OWNCLOUD:040A08AB52F1B02C37A0E3AD86ABDED9Multiple stored XSS in "documents" application - ownCloud
0.002 Low
EPSS
Percentile
59.6%
Due to not sanitising all user provided input, the “documents” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “documents” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.
Successful exploitation requires that the adversary is able to modify a WebODF document and a victim opens the shared document.
ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy; this vulnerability is therefore not exploitable if you use a browser that supports the current CSP standard. You can check at CanIUse.com whether your browser supports our Content-Security-Policy.
Affected Software
- ownCloud Server < 7.0.5 (CVE-2015-3012)
- ownCloud Server < 6.0.7 (CVE-2015-3012)
- ownCloud Server < 5.0.19 (CVE-2015-3012)
Action Taken
The issue was caused by not sanitising a Dojo component in WebODF. These not sanitised parts are now properly sanitised and fixed with WebODF v0.5.5, details can be found at the WebODF changelog.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Roy Jansen ([email protected]) - Vulnerability discovery and disclosure.
- Lukas Reschke - ownCloud Inc. ([email protected]) - Further analysis and discovery of other related bugs.
| CPE | Name | Operator | Version |
|---|---|---|---|
| owncloud server | lt | 5.0.19 | |
| owncloud server | lt | 7.0.5 | |
| owncloud server | lt | 6.0.7 |
Related
