ownCloud Server 5.0.x/4.5.x XSS and Privilege escalation

2013.04.22

Credit: ownCloud

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2013-1967 | CVE-2013-1963

CWE: N/A

This vulnerabilities only affect ownCloud Server 5.0.x and 4.5.x, the
4.0.x branch is not affected and still supported with security updates
by us.

---------------------------------------

# XSS vulnerability in MediaElement.js (oC-SA-2013-017)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-017/

## CVE IDENTIFIERS
- CVE-2013-1967 (MediaElement.js)

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.5
- ownCloud Server < 4.5.10

## RISK
- High

## COMMITS
- b13c31b (stable5)
- 239ec01 (stable45)

## DESCRIPTION
A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.5 and 4.5.10 except the 4.0.x branch allows remote attackers to
execute arbitrary javascript when a user opens a special crafted URL.

This vulnerability exists in the bundled 3rdparty plugin
&#8220;MediaElement.js&#8221;, &#8220;MediaElement.js&#8221; released version 2.11.2 which
addresses the problem.

## CREDITS
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
and upstream.


## RESOLUTION
Update to ownCloud Server 5.0.5 or 4.5.10
http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2

---------------------------------------

# Privilege escalation in the contacts application (oC-SA-2013-018)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-018/

## CVE IDENTIFIERS
- CVE-2013-1963

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.5
- ownCloud Server < 4.5.10

## RISK
- High

## COMMITS
- 9cc35e4 (stable5)
- fc4632d (stable45)

## DESCRIPTION

Due to not properly checking the ownership of a single contact, an
authenticated attacker is able to download contacts of other users in
all ownCloud versions prior to 5.0.5 including the 4.5.x branch.

Note: Successful exploitation of this privilege escalation requires
the &#8220;contacts&#8221; app to be enabled (enabled by default).

## RESOLUTION
Update to ownCloud Server 5.0.5 ir 4.5.10
http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2

--
ownCloud
Your Cloud, Your Data, Your Way!

References:

http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2

http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2

https://owncloud.org/about/security/advisories/oC-SA-2013-018/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ownCloud Server 5.0.x/4.5.x XSS and Privilege escalation

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.