[Owncloud] ownCloud Security Advisories (2013-017, 2013-018)
Lukas Reschke
lukas at owncloud.org
Sun Apr 21 12:13:44 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This vulnerabilities only affect ownCloud Server 5.0.x and 4.5.x, the
4.0.x branch is not affected and still supported with security updates
by us.
---------------------------------------
# XSS vulnerability in MediaElement.js (oC-SA-2013-017)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-017/
## CVE IDENTIFIERS
- CVE-2013-1967 (MediaElement.js)
## AFFECTED SOFTWARE
- ownCloud Server < 5.0.5
- ownCloud Server < 4.5.10
## RISK
- High
## COMMITS
- b13c31b (stable5)
- 239ec01 (stable45)
## DESCRIPTION
A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.5 and 4.5.10 except the 4.0.x branch allows remote attackers to
execute arbitrary javascript when a user opens a special crafted URL.
This vulnerability exists in the bundled 3rdparty plugin
“MediaElement.js”, “MediaElement.js” released version 2.11.2 which
addresses the problem.
## CREDITS
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
and upstream.
## RESOLUTION
Update to ownCloud Server 5.0.5 or 4.5.10
http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2
---------------------------------------
# Privilege escalation in the contacts application (oC-SA-2013-018)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-018/
## CVE IDENTIFIERS
- CVE-2013-1963
## AFFECTED SOFTWARE
- ownCloud Server < 5.0.5
- ownCloud Server < 4.5.10
## RISK
- High
## COMMITS
- 9cc35e4 (stable5)
- fc4632d (stable45)
## DESCRIPTION
Due to not properly checking the ownership of a single contact, an
authenticated attacker is able to download contacts of other users in
all ownCloud versions prior to 5.0.5 including the 4.5.x branch.
Note: Successful exploitation of this privilege escalation requires
the “contacts” app to be enabled (enabled by default).
## RESOLUTION
Update to ownCloud Server 5.0.5 ir 4.5.10
http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2
--
ownCloud
Your Cloud, Your Data, Your Way!
GPG: 0xEB32B77BA406BE99
-----BEGIN PGP SIGNATURE-----
wsFcBAEBAgAQBQJRc9e8CRDrMrd7pAa+mQAAcSUP/3tkGnef8/xIgZSLECVK
tDmVK3bLEkty/CVKh6hKkQ4ub8tU0F6+AICdWd2zFuwQkIlVR3l8yMyvEn9a
lwmv9c7ZMH7/n0TBNcZY16MDWIx9Rz21vLR0bebetNbv2fsT9qr6BA8lqlXf
+iuwPvjyS7jzk7grBdGkUiMiD75+uw4K4lQ7Q8Bo1MMv2HEcocy1ed54lRyO
oc0JAVwv52MVei1OJ4j/DvioskbkXE+fE51BohA2cq49MFnMppOBMt1AUsDO
3haKXGBI0rvEmuHzFO+9CnSPjcef6qydxOUlCz7zYx1UNwUqJZSVL0xtqsly
AcHzGwxn589SLRSaWUXR0Vq9Z5d9trlx7CG8QsGUMvA/wuqvjnOBb4bx+0lG
OxmM7jbbxS6K0Xnn18vLqAnkEX+lwXSJC1QQrGezFOD5wLINJilLaxOrNYHH
kEG9OZUjNpqT/FvNJv4J8x11IF+7T8Qi0lBrHDQJMyUMqsaackpK9DEB2MQZ
NZTWrwo5OBlYsxFkpgeP/na2pbyndUqL6//J3e0DijjiitzakpjX4fFURiln
sac2TWwtlkuUJcXllHpn+3Kz17ARP6f7hCcgz7Pf1Ci7TaU1kBh/3wDdn9/x
HNPg7PPxZrsi9yiaui8vMKZUSCnEZTKhGAjn6Rjbp0I0tX+P9GY4gI8K9wO8
DhLV
=/xQd
-----END PGP SIGNATURE-----
More information about the Owncloud
mailing list