This host is installed with ownCloud and is prone to multiple cross-site scripting and cross-site request forgery vulnerabilities.

Successful exploitation will allow remote attackers to conduct request forgery attacks and execute arbitrary script code in a user's browser. Impact Level: Application

Upgrade to ownCloud version 4.0.12 or 4.5.7 or later, For updates refer to http://owncloud.org

Multiple flaws are due to, - Improper validation of user-supplied input passed via 'site_name' and 'site_url' parameters to /apps/external/ajax/setsites.php script, 'Group Input' parameter passed to the settings.php script. - Insufficient validation of user-supplied input passed via the 'lat' and 'lng' parameters to apps/calendar/ajax/settings/guesstimezone.php, the 'timezonedetection' parameter to calendar/ajax/settings/timezonedetection.php, admin_export parameter to apps/admin_migrate/settings.php, operation parameter to apps/user_migrate/ajax/export.php, unspecified vectors to apps/user_ldap/settings.php

ownCloud Server before version 4.0.12 and 4.5.x before 4.5.7

Get the installed version with the help of detect NVT and check the version is vulnerable or not.

• http://owncloud.org/about/security/advisories/oC-SA-2013-003
• http://owncloud.org/about/security/advisories/oC-SA-2013-004
• http://seclists.org/oss-sec/2013/q1/378
• http://www.osvdb.com/90492
• http://www.osvdb.com/90493
• http://www.osvdb.com/90494

---

Updated on 2015-03-25