Web application abuses : ownCloud Multiple XSS & CSRF Vulnerabilities -02 (May 2014)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.804277

Category: Web application abuses

Title: ownCloud Multiple XSS & CSRF Vulnerabilities -02 (May 2014)

Summary: ownCloud is prone to multiple cross-site scripting and cross-; site request forgery (CSRF) vulnerabilities.

Description: Summary:
ownCloud is prone to multiple cross-site scripting and cross-
site request forgery (CSRF) vulnerabilities.

Vulnerability Insight:
Multiple flaws are due to:

- Improper validation of user-supplied input passed via 'mountpoint' parameter
upon submission to the /apps/files_external/addMountPoint.php script, 'dir' and
'file' parameters upon submission to the /apps/files_pdfviewer/viewer.php script
and 'iCalendar' file in the calendar application.

- Insufficient validation of user-supplied input passed via the 'v' POST
parameter to changeview.php within /apps/calendar/ajax, multiple unspecified
parameters to addRootCertificate.php, dropbox.php and google.php scripts within
/apps/files_external/ajax and multiple unspecified POST parameters to
settings.php script within /apps/user_webdavauth.

Vulnerability Impact:
Successful exploitation will allow remote attackers to conduct request forgery
attacks and execute arbitrary script code in a user's browser.

Affected Software/OS:
ownCloud Server before version 4.5.x before 4.5.7

Solution:
Update to version 4.5.7 or later.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-0300
Common Vulnerability Exposure (CVE) ID: CVE-2013-0298

Copyright Copyright (C) 2014 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.804277
Category:	Web application abuses
Title:	ownCloud Multiple XSS & CSRF Vulnerabilities -02 (May 2014)
Summary:	ownCloud is prone to multiple cross-site scripting and cross-; site request forgery (CSRF) vulnerabilities.
Description:	Summary: ownCloud is prone to multiple cross-site scripting and cross- site request forgery (CSRF) vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - Improper validation of user-supplied input passed via 'mountpoint' parameter upon submission to the /apps/files_external/addMountPoint.php script, 'dir' and 'file' parameters upon submission to the /apps/files_pdfviewer/viewer.php script and 'iCalendar' file in the calendar application. - Insufficient validation of user-supplied input passed via the 'v' POST parameter to changeview.php within /apps/calendar/ajax, multiple unspecified parameters to addRootCertificate.php, dropbox.php and google.php scripts within /apps/files_external/ajax and multiple unspecified POST parameters to settings.php script within /apps/user_webdavauth. Vulnerability Impact: Successful exploitation will allow remote attackers to conduct request forgery attacks and execute arbitrary script code in a user's browser. Affected Software/OS: ownCloud Server before version 4.5.x before 4.5.7 Solution: Update to version 4.5.7 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2013-0300 Common Vulnerability Exposure (CVE) ID: CVE-2013-0298
Copyright	Copyright (C) 2014 Greenbone AG