A cross-site scripting flaw was found in the way videoViewer module of ownCloud, a private file synchronization tool and share server, performed sanitization of certain file name arguments. A remote attacker could provide a specially-crafted web page that, when visited would lead to arbitrary HTML or web script execution in the context of the ownCloud user's session. References: [1] http://www.openwall.com/lists/oss-security/2013/06/07/3 Upstream patches: [2] https://github.com/owncloud/apps/commit/b9a85f2 (against stable5 branch) [3] https://github.com/owncloud/apps/commit/773e3de (against stable45 branch)
This issue affects the versions of the owncloud package as shipped with Fedora release of 18 and Fedora EPEL-6. Please schedule an update.
Created owncloud tracking bugs for this issue Affects: fedora-18 [bug 971864] Affects: epel-6 [bug 971865]
Upstream advisory: http://owncloud.org/about/security/advisories/oC-SA-2013-028/