Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 7 Jun 2013 13:34:35 +0200
From: Lukas Reschke <lukas@...cloud.org>
To: Open Source Security <oss-security@...ts.openwall.com>, announcements@...cloud.org
Subject: ownCloud Security Advisory oC-SA-2013-028

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

# Multiple XSS vulnerabilities (oC-SA-2013-028)
Web: http://owncloud.org/about/security/advisories/oC-SA-2013-028/

## AFFECTED SOFTWARE
- - ownCloud Server < 5.0.7 (CVE-2013-2150, CVE-2013-2149)
- - ownCloud Server < 4.5.12 (CVE-2013-2150, CVE-2013-2149)
- - ownCloud Server < 4.0.16 (CVE-2013-2149)

## RISK
- - Medium

## COMMITS
### CVE-2013-2150
- - stable5: [b9a85f2](https://github.com/owncloud/apps/commit/b9a85f2)
- - stable45: [773e3de](https://github.com/owncloud/apps/commit/773e3de)
### CVE-2013-2149
- - stable5: [752a316](https://github.com/owncloud/core/commit/752a316)
- - stable45: [600afad](https://github.com/owncloud/core/commit/600afad)
- - stable4: [17b44bf](https://github.com/owncloud/core/commit/17b44bf)

## DESCRIPTION
Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the
files_videoviewer application via multiple unspecified vectors in all
ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated
remote attackers to inject arbitrary web script or HTML via shared
files. (CVE-2013-2150)

Cross-site scripting (XSS) vulnerabilities in core/js/oc-dialogs.js
via multiple unspecified vectors in all ownCloud versions prior to
5.0.7 and other versions before 4.0.16 allows authenticated remote
attackers to inject arbitrary web script or HTML via shared files.
(CVE-2013-2149)

## Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl /
CVE-2013-2149 / CVE-2013-2150) for discovering this vulnerabilities.

## RESOLUTION
Update to ownCloud Server 5.0.7, 4.5.12 or 4.0.16
http://download.owncloud.org/community/owncloud-5.0.7.tar.bz2
http://download.owncloud.org/community/owncloud-4.5.12.tar.bz2
http://download.owncloud.org/community/owncloud-4.0.16.tar.bz2

- --
ownCloud
Your Cloud, Your Data, Your Way!

GPG: 0xEB32B77BA406BE99
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBAgAGBQJRscRMAAoJEOsyt3ukBr6Z03QP+wXpp0Rxm0InVb0+t9JjHy7i
ALbO4LbrENwf01Kd7vAkf1kLwhXzwXw7PCkc+tGyDpm4TGePxyMIB1YedwwrNCO9
3AhIcpEAB8nvJE8mlPIBg2NhJsva2nokSu5muFmjp1KfEz+t/MRK7P5zAaWJSqUS
912uPx0vEaMz6LpHfB0v/VpXwCcNAwohChebeUGv4vy/FpOxUBuOAGZWrmq3iteQ
yPNlVGoN5fnfRORKgud2j58HRnGuvfO+Ttnun2iZKvV1b1ZFzoKTZVJ+4PT3zNBM
Xc5yu9VL6NWe+Sqt3geyUdUgA8yLqdo76jk9yXUnwA1VYCwGCog66GBQKcoi/wyh
/3j+y+Xp2mPhjn+75UED4Ul4jkH61HrxTygWcm5Iz3vgK0bJ8VlYiLlgETLpnBZ6
DLAzR0J+2vZ5E7UOCTyb/syZHpWgXA2VYcCeBi2cZ3nM+fQi9g5QFMNe1RCuxaVN
y4e4EYMEjvMcrGVj85NQrZ+xRWcCLhVjjtOdxvL3xR+gC/oyd2j3b/sKA5rJSzm/
411NwpYMB1cpfNo1ZeXh8nYH1kQ3V0VX3wnNZbIpyhe6mSrKgJrNT5vMoc3tavvI
+6/NaitHDZJh+16ZHFGk+s2tPxiMvJlWE3ZLf24yLNyvZIuESs72caAWtb/f3nVM
+gAGvkDUBqIQFY5cT1KH
=6ItI
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.