[Owncloud] ownCloud Security Advisories (2013-017, 2013-018)

Lukas Reschke lukas at owncloud.org
Sun Apr 21 12:13:44 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This vulnerabilities only affect ownCloud Server 5.0.x and 4.5.x, the
4.0.x branch is not affected and still supported with security updates
by us.

---------------------------------------

# XSS vulnerability in MediaElement.js (oC-SA-2013-017)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-017/

## CVE IDENTIFIERS
- CVE-2013-1967 (MediaElement.js)

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.5
- ownCloud Server < 4.5.10

## RISK
- High

## COMMITS
- b13c31b (stable5)
- 239ec01 (stable45)

## DESCRIPTION
A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.5 and 4.5.10 except the 4.0.x branch allows remote attackers to
execute arbitrary javascript when a user opens a special crafted URL.

This vulnerability exists in the bundled 3rdparty plugin
“MediaElement.js”, “MediaElement.js” released version 2.11.2 which
addresses the problem.

## CREDITS
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
and upstream.


## RESOLUTION
Update to ownCloud Server 5.0.5 or 4.5.10
http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2

---------------------------------------

# Privilege escalation in the contacts application (oC-SA-2013-018)
Web: https://owncloud.org/about/security/advisories/oC-SA-2013-018/

## CVE IDENTIFIERS
- CVE-2013-1963

## AFFECTED SOFTWARE
- ownCloud Server < 5.0.5
- ownCloud Server < 4.5.10

## RISK
- High

## COMMITS
- 9cc35e4 (stable5)
- fc4632d (stable45)

## DESCRIPTION

Due to not properly checking the ownership of a single contact, an
authenticated attacker is able to download contacts of other users in
all ownCloud versions prior to 5.0.5 including the 4.5.x branch.

Note: Successful exploitation of this privilege escalation requires
the “contacts” app to be enabled (enabled by default).

## RESOLUTION
Update to ownCloud Server 5.0.5 ir 4.5.10
http://download.owncloud.org/community/owncloud-5.0.5.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.10.tar.bz2

--
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99

-----BEGIN PGP SIGNATURE-----

wsFcBAEBAgAQBQJRc9e8CRDrMrd7pAa+mQAAcSUP/3tkGnef8/xIgZSLECVK
tDmVK3bLEkty/CVKh6hKkQ4ub8tU0F6+AICdWd2zFuwQkIlVR3l8yMyvEn9a
lwmv9c7ZMH7/n0TBNcZY16MDWIx9Rz21vLR0bebetNbv2fsT9qr6BA8lqlXf
+iuwPvjyS7jzk7grBdGkUiMiD75+uw4K4lQ7Q8Bo1MMv2HEcocy1ed54lRyO
oc0JAVwv52MVei1OJ4j/DvioskbkXE+fE51BohA2cq49MFnMppOBMt1AUsDO
3haKXGBI0rvEmuHzFO+9CnSPjcef6qydxOUlCz7zYx1UNwUqJZSVL0xtqsly
AcHzGwxn589SLRSaWUXR0Vq9Z5d9trlx7CG8QsGUMvA/wuqvjnOBb4bx+0lG
OxmM7jbbxS6K0Xnn18vLqAnkEX+lwXSJC1QQrGezFOD5wLINJilLaxOrNYHH
kEG9OZUjNpqT/FvNJv4J8x11IF+7T8Qi0lBrHDQJMyUMqsaackpK9DEB2MQZ
NZTWrwo5OBlYsxFkpgeP/na2pbyndUqL6//J3e0DijjiitzakpjX4fFURiln
sac2TWwtlkuUJcXllHpn+3Kz17ARP6f7hCcgz7Pf1Ci7TaU1kBh/3wDdn9/x
HNPg7PPxZrsi9yiaui8vMKZUSCnEZTKhGAjn6Rjbp0I0tX+P9GY4gI8K9wO8
DhLV
=/xQd
-----END PGP SIGNATURE-----



More information about the Owncloud mailing list