Red Hat Bugzilla – Bug 971859
CVE-2013-2149 owncloud: Cross-site scripting in owncloud jQuery dialogs due improper escaping of filenames in filepicker module (oC-SA-2013-028)
Last modified: 2016-03-04 05:45:37 EST
A cross-site scripting flaw was found in the way jQuery dialogs handling functionality of ownCloud, a private file synchronization tool and share server, performed sanitization of the file name arguments in the filepicker module. A remote attacker could provide a specially-crafted web page that, when visited would lead to arbitrary HTML or web script execution in the context of the ownCloud user's session.
 https://github.com/owncloud/core/commit/752a316 (against stable5 branch)
 https://github.com/owncloud/core/commit/600afad (against stable45 branch)
 https://github.com/owncloud/core/commit/17b44bf (against stable4 branch)
This issue affects the versions of the owncloud package as shipped with Fedora release of 18 and Fedora EPEL-6. Please schedule an update.
Created owncloud tracking bugs for this issue
Affects: fedora-18 [bug 971864]
Affects: epel-6 [bug 971865]
owncloud-4.5.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
owncloud-4.5.12-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.