Multiple stored XSS in "contacts" application - ownCloud

Due to not sanitising all user provided input, the “contacts” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “contacts” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.

Successful exploitation requires that the adversary is able to access the contact group and share contacts with the victim. The victim then has to access the contacts application and edit the maliciously drafted contact.

While ownCloud advises browsers to disable inline JavaScript execution this vulnerability is caused by a eval like construct which is currently allowed in our default Content-Security-Policy, thus this is effectively exploitable in any browser.

Affected Software

• ownCloud Server < 7.0.5 (CVE-2015-3011)
• ownCloud Server < 6.0.7 (CVE-2015-3011)
• ownCloud Server < 5.0.19 (CVE-2015-3011)

Action Taken

The user input is now properly sanitised before provided back to the user. Furthermore, with ownCloud 8.2 the default Content-Security-Policy will forbid any eval like constructs by default as an additional layer of defense.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Hugh Davenport - All The Things Limited ([email protected]) - Vulnerability discovery and disclosure.