oss-sec mailing list archives
ownCloud Security Advisories (2013-017, 2013-018)
From: Lukas Reschke <lukas () owncloud org>
Date: Sun, 21 Apr 2013 14:13:44 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This vulnerabilities only affect ownCloud Server 5.0.x and 4.5.x, the 4.0.x branch is not affected and still supported with security updates by us. --------------------------------------- # XSS vulnerability in MediaElement.js (oC-SA-2013-017) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-017/ ## CVE IDENTIFIERS - CVE-2013-1967 (MediaElement.js) ## AFFECTED SOFTWARE - ownCloud Server < 5.0.5 - ownCloud Server < 4.5.10 ## RISK - High ## COMMITS - b13c31b (stable5) - 239ec01 (stable45) ## DESCRIPTION A cross-site scripting (XSS) vulnerability in all ownCloud versions prior to 5.0.5 and 4.5.10 except the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin “MediaElement.js”, “MediaElement.js” released version 2.11.2 which addresses the problem. ## CREDITS The ownCloud Team would like to thank Malte Batram (batr.am) for discovering this vulnerability and responsibly disclosing this to us and upstream. ## RESOLUTION Update to ownCloud Server 5.0.5 or 4.5.10 http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2 --------------------------------------- # Privilege escalation in the contacts application (oC-SA-2013-018) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-018/ ## CVE IDENTIFIERS - CVE-2013-1963 ## AFFECTED SOFTWARE - ownCloud Server < 5.0.5 - ownCloud Server < 4.5.10 ## RISK - High ## COMMITS - 9cc35e4 (stable5) - fc4632d (stable45) ## DESCRIPTION Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch. Note: Successful exploitation of this privilege escalation requires the “contacts” app to be enabled (enabled by default). ## RESOLUTION Update to ownCloud Server 5.0.5 ir 4.5.10 http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2 -- ownCloud Your Cloud, Your Data, Your Way! GPG: 0xEB32B77BA406BE99 -----BEGIN PGP SIGNATURE----- wsFcBAEBAgAQBQJRc9e8CRDrMrd7pAa+mQAAcSUP/3tkGnef8/xIgZSLECVK tDmVK3bLEkty/CVKh6hKkQ4ub8tU0F6+AICdWd2zFuwQkIlVR3l8yMyvEn9a lwmv9c7ZMH7/n0TBNcZY16MDWIx9Rz21vLR0bebetNbv2fsT9qr6BA8lqlXf +iuwPvjyS7jzk7grBdGkUiMiD75+uw4K4lQ7Q8Bo1MMv2HEcocy1ed54lRyO oc0JAVwv52MVei1OJ4j/DvioskbkXE+fE51BohA2cq49MFnMppOBMt1AUsDO 3haKXGBI0rvEmuHzFO+9CnSPjcef6qydxOUlCz7zYx1UNwUqJZSVL0xtqsly AcHzGwxn589SLRSaWUXR0Vq9Z5d9trlx7CG8QsGUMvA/wuqvjnOBb4bx+0lG OxmM7jbbxS6K0Xnn18vLqAnkEX+lwXSJC1QQrGezFOD5wLINJilLaxOrNYHH kEG9OZUjNpqT/FvNJv4J8x11IF+7T8Qi0lBrHDQJMyUMqsaackpK9DEB2MQZ NZTWrwo5OBlYsxFkpgeP/na2pbyndUqL6//J3e0DijjiitzakpjX4fFURiln sac2TWwtlkuUJcXllHpn+3Kz17ARP6f7hCcgz7Pf1Ci7TaU1kBh/3wDdn9/x HNPg7PPxZrsi9yiaui8vMKZUSCnEZTKhGAjn6Rjbp0I0tX+P9GY4gI8K9wO8 DhLV =/xQd -----END PGP SIGNATURE-----
Current thread:
- ownCloud Security Advisories (2013-017, 2013-018) Lukas Reschke (Apr 21)