Web application abuses : ownCloud Multiple XSS & CSRF Vulnerabilities -01 (May 2014)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.804276

Category: Web application abuses

Title: ownCloud Multiple XSS & CSRF Vulnerabilities -01 (May 2014)

Summary: ownCloud is prone to multiple cross-site scripting and cross-; site request forgery (CSRF) vulnerabilities.

Description: Summary:
ownCloud is prone to multiple cross-site scripting and cross-
site request forgery (CSRF) vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- Improper validation of user-supplied input passed via 'site_name' and
'site_url' parameters to /apps/external/ajax/setsites.php script, 'Group Input'
parameter passed to the settings.php script.

- Insufficient validation of user-supplied input passed via the 'lat' and
'lng' parameters to apps/calendar/ajax/settings/guesstimezone.php, the
'timezonedetection' parameter to calendar/ajax/settings/timezonedetection.php,
admin_export parameter to apps/admin_migrate/settings.php, operation parameter to
apps/user_migrate/ajax/export.php, unspecified vectors to
apps/user_ldap/settings.php

Vulnerability Impact:
Successful exploitation will allow remote attackers to conduct request forgery
attacks and execute arbitrary script code in a user's browser.

Affected Software/OS:
ownCloud Server before version 4.0.12 and 4.5.x before 4.5.7

Solution:
Update to version 4.0.12 or 4.5.7 or later.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-0307
Common Vulnerability Exposure (CVE) ID: CVE-2013-0299
Common Vulnerability Exposure (CVE) ID: CVE-2013-0297

Copyright Copyright (C) 2014 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.804276
Category:	Web application abuses
Title:	ownCloud Multiple XSS & CSRF Vulnerabilities -01 (May 2014)
Summary:	ownCloud is prone to multiple cross-site scripting and cross-; site request forgery (CSRF) vulnerabilities.
Description:	Summary: ownCloud is prone to multiple cross-site scripting and cross- site request forgery (CSRF) vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Improper validation of user-supplied input passed via 'site_name' and 'site_url' parameters to /apps/external/ajax/setsites.php script, 'Group Input' parameter passed to the settings.php script. - Insufficient validation of user-supplied input passed via the 'lat' and 'lng' parameters to apps/calendar/ajax/settings/guesstimezone.php, the 'timezonedetection' parameter to calendar/ajax/settings/timezonedetection.php, admin_export parameter to apps/admin_migrate/settings.php, operation parameter to apps/user_migrate/ajax/export.php, unspecified vectors to apps/user_ldap/settings.php Vulnerability Impact: Successful exploitation will allow remote attackers to conduct request forgery attacks and execute arbitrary script code in a user's browser. Affected Software/OS: ownCloud Server before version 4.0.12 and 4.5.x before 4.5.7 Solution: Update to version 4.0.12 or 4.5.7 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-0307 Common Vulnerability Exposure (CVE) ID: CVE-2013-0299 Common Vulnerability Exposure (CVE) ID: CVE-2013-0297
Copyright	Copyright (C) 2014 Greenbone AG