- Platform: ownCloud Server
- Versions: 10.0.2
- Date: 5/31/2017
- Risk level: Medium
- CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
- CWE: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79)
- HackerOne report: 215410
Description
An attacker can inject HTML script code into a error message
Affected Software
- ownCloud Server < 10.0.2 (CVE-2017-8896)
- ownCloud Server < 9.1.6 (CVE-2017-8896)
- ownCloud Server < 9.0.10 (CVE-2017-8896)
- ownCloud Server < 8.2.12 (CVE-2017-8896)
Action Taken
Escape output
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Manuel Mancera – Vulnerability discovery and disclosure.