Bug 971863 - (CVE-2013-2150) CVE-2013-2150 owncloud: Cross-site scripting due improper sanitization of the file name in the videoViewer JavaScript module (oC-SA-2013-028)
CVE-2013-2150 owncloud: Cross-site scripting due improper sanitization of the...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 971864 971865
  Show dependency treegraph
Reported: 2013-06-07 08:58 EDT by Jan Lieskovsky
Modified: 2016-03-04 06:33 EST (History)
1 user (show)

See Also:
Fixed In Version: ownCloud-5.0.7, ownCloud-4.5.12, ownCloud-4.0.16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-06-07 08:58:48 EDT
A cross-site scripting flaw was found in the way videoViewer module of ownCloud, a private file synchronization tool and share server, performed sanitization of certain file name arguments. A remote attacker could provide a specially-crafted web page that, when visited would lead to arbitrary HTML or web script execution in the context of the ownCloud user's session.

[1] http://www.openwall.com/lists/oss-security/2013/06/07/3

Upstream patches:
[2] https://github.com/owncloud/apps/commit/b9a85f2 (against stable5 branch)
[3] https://github.com/owncloud/apps/commit/773e3de (against stable45 branch)
Comment 1 Jan Lieskovsky 2013-06-07 09:00:42 EDT
This issue affects the versions of the owncloud package as shipped with Fedora release of 18 and Fedora EPEL-6. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-06-07 09:02:49 EDT
Created owncloud tracking bugs for this issue

Affects: fedora-18 [bug 971864]
Affects: epel-6 [bug 971865]
Comment 3 Jan Lieskovsky 2013-06-07 10:05:25 EDT
Upstream advisory:

Note You need to log in before you can comment on or make changes to this bug.