OwnCloud Server Community Edition Multiple Cross-Site Scripting Vulnerabilities
2 Oct. 2015
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact.
Vulnerable Systems:
* ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5
Immune Systems:
* ownCloud Server Community Edition after 5.0.19, after 6.0.7, and after 7.0.5
Hugh Davenport discovered that the contacts application shipped with ownCloud is vulnerable to multiple stored cross-site scripting attacks. This vulnerability is effectively exploitable in any browser.