Summary
This host is installed with ownCloud and is prone to multiple cross-site scripting and cross-site request forgery vulnerabilities.
Impact
Successful exploitation will allow remote attackers to conduct request forgery attacks and execute arbitrary script code in a user's browser.
Impact Level: Application
Solution
Upgrade to ownCloud version 4.0.12 or 4.5.7 or later, For updates refer to http://owncloud.org
Insight
Multiple flaws are due to,
- Improper validation of user-supplied input passed via 'site_name' and 'site_url' parameters to /apps/external/ajax/setsites.php script, 'Group Input' parameter passed to the settings.php script.
- Insufficient validation of user-supplied input passed via the 'lat' and 'lng' parameters to apps/calendar/ajax/settings/guesstimezone.php, the 'timezonedetection' parameter to calendar/ajax/settings/timezonedetection.php, admin_export parameter to apps/admin_migrate/settings.php, operation parameter to apps/user_migrate/ajax/export.php, unspecified vectors to apps/user_ldap/settings.php
Affected
ownCloud Server before version 4.0.12 and 4.5.x before 4.5.7
Detection
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
References
Severity
Classification
-
CVE CVE-2013-0297, CVE-2013-0299, CVE-2013-0307 -
CVSS Base Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P
Related Vulnerabilities
- Apache OFBiz Multiple Cross Site Scripting Vulnerabilities
- Apache Struts2 'XWork' Information Disclosure Vulnerability
- 123 Flash Chat Multiple Security Vulnerabilities
- Apache Struts2/XWork Remote Command Execution Vulnerability
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities