Описание
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| nextcloud | itp | package | ||
| owncloud | not-affected | package |
Примечания
up to version which was removed, not included, as the vulnerable code was
introduced later in a migration of the Gallery app to a new sharing endpoint
where a parameter changed from an interger to a string value, and that value
not beeing sanitized.
https://owncloud.org/security/advisory/?id=oc-sa-2016-011
https://github.com/owncloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc
https://hackerone.com/reports/145355
Связанные уязвимости
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.