XSS in Error Page

May 31, 2017

Description

An attacker can inject HTML script code into a error message

Affected Software

  • ownCloud Server < 10.0.2 (CVE-2017-8896)
  • ownCloud Server < 9.1.6 (CVE-2017-8896)
  • ownCloud Server < 9.0.10 (CVE-2017-8896)
  • ownCloud Server < 8.2.12 (CVE-2017-8896)

Action Taken

Escape output

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Manuel Mancera – Vulnerability discovery and disclosure.