Due to not sanitising all user provided input, the “contacts” application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks.
The “contacts” application is enabled by default in the ownCloud Community Edition but not shipped with the ownCloud Enterprise Edition.
Successful exploitation requires that the adversary is able to access the contact group and share contacts with the victim. The victim then has to access the contacts application and edit the maliciously drafted contact.
While ownCloud advises browsers to disable inline JavaScript execution this vulnerability is caused by a eval
like construct which is currently allowed in our default Content-Security-Policy, thus this is effectively exploitable in any browser.
The user input is now properly sanitised before provided back to the user. Furthermore, with ownCloud 8.2 the default Content-Security-Policy will forbid any eval
like constructs by default as an additional layer of defense.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 5.0.19 | |
owncloud server | lt | 7.0.5 | |
owncloud server | lt | 6.0.7 |