Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors.
ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable if you use a browser that fully supports the current CSP standard.
ownCloud offers the functions p()
which encodes potential dangerous input using htmlspecialchars()
. We have reviewed whether the potential insecure pendant print_unescaped()
was used in other places and replaced unneeded occurrences with the safe variant.
This review helped us to discover vulnerabilities in the following components.
stable6
stable5
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 6.0.3 | |
owncloud server | lt | 5.0.16 |