Reflected XSS in login page forgot password functionallity

Aug 6, 2020

  • Risk: medium
  • CVSS v3 Base Score: 4.7
  • CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
  • CWE ID: CWE-79
  • CWE Name: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)


The login page was not properly sanitizing exception messages from the ownCloud server.


ownCloud/core version < 10.5 (CVE-2020-16255)

Action taken

Error messages are now properly sanitized