Stored XSS in "activity" application - ownCloud

Due to not sanitising all user provided input, the “activity” application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The “activity” application is enabled by default in the ownCloud Community Edition and Enterprise Edition.

Successful exploitation requires that the adversary is able to create files containing the " character. This character is forbidden by default in any current ownCloud version except 8.1.0 RC1, thus an actual exploitation requires that the user has mounted an external storage within ownCloud where a user can create files with such characters. Alternatively an adversary may discover a way to circumvent the input validation. (ownCloud is not aware of a bypass of to the input validation) - Furthermore the attacker must be able to share a folder containing the files with malicious filename with the victim.

Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution. Thus this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7)

Affected Software

• ownCloud Server < 7.0.5 (CVE-2015-5953)
• ownCloud Server < 8.0.4 (CVE-2015-5953)

Action Taken

The output is now properly sanitized.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

• Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.