Summary
ownCloud is prone to an arbitrary-code execution vulnerability, multiple HTML-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to properly sanitize user- supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user and to execute arbitrary code in the context of the web server. Other attacks are also possible.
The following versions are vulnerable:
ownCloud 4.0.10 and prior ownCloud 4.5.5 and prior
Solution
Vendor updates are available. Please see the references for more information.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2013-0201, CVE-2013-0202, CVE-2013-0203, CVE-2013-0204 -
CVSS Base Score: 7.5
AV:N/AC:M/Au:S/C:C/I:P/A:P
Related Vulnerabilities
- Alcatel-Lucent OmniPCX Enterprise Remote Command Execution Vulnerability
- 4psa Voipnow Local File Inclusion Vulnerability
- Admbook PHP Code Injection Flaw
- Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability
- Andy's PHP Knowledgebase 's' Parameter SQL Injection Vulnerability