XSS in Error Page - ownCloud

2017-05-31T11:40:35
ID OWNCLOUD:3595081DFB01381409FDF6CF732D9F4D
Type owncloud
Reporter Manuel Mancera – Vulnerability discovery and disclosure.
Modified 2017-12-13T13:03:44

Description

A Attacker can inject HTML script code into a error message

Affected Software

  • ownCloud Server < 10.0.2 (CVE-2017-8896)
  • ownCloud Server < 9.1.6 (CVE-2017-8896)
  • ownCloud Server < 9.0.10 (CVE-2017-8896)
  • ownCloud Server < 8.2.12 (CVE-2017-8896)

Action Taken

Escape output

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Manuel Mancera - Vulnerability discovery and disclosure.