Summary
This host is running ownCloud and is prone to cross-site scripting and security bypass vulnerabilities.
Impact
Successful exploitation will allow remote attacker to execute arbitrary HTML or script code or discloses sensitive information resulting in loss of confidentiality.
Solution
Upgrade to ownCloud 4.5.5, 4.0.10 or later,
For updates refer to http://owncloud.org
Insight
Multiple flaws are due to,
- The application not verifying permissions when accessing settings.php can be exploited to change the app configuration for user_webdavauth and user_ldap and subsequently login as arbitrary users.
- Certain input passed to apps/bookmark/index.php is not properly sanitised before being returned to the user.
Affected
ownCloud versions 4.0.x before 4.0.10 and 4.5.x before 4.5.5
Detection
Send a crafted data via HTTP request and check whether it is able to read cookie or not.
References
Severity
Classification
-
CVE CVE-2012-5665, CVE-2012-5666 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities