https://owncloud.org/security/advisory/?id=oc-sa-2016-001: Reflected XSS in OCS provider discovery (oC-SA-2016-001) 6th January 2016 Risk level: Low CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) CWE: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) Description A Cross-site scripting (XSS) vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script execution this bug is unlikely to be exploitable on recent browsers that support Content-Security-Policy. (Firefox >= 23, Chrome >= 25, Safari >= 7, Microsoft Edge) Affected Software ownCloud Server < 8.2.2 (CVE-2016-1498) core/cccf4b607340f52cd0e9301c6e2813c121f2c236 ownCloud Server < 8.1.5 (CVE-2016-1498) core/ada757317422ab9be36e10a7b9a2a5597063521f ownCloud Server < 8.0.10 (CVE-2016-1498) core/1d650169804b37b7e9864c8032c67dd48c99d08d ownCloud Server < 7.0.12 (CVE-2016-1498) core/85e068a723c09d0f01ab3e10aa6a3f6a8c4c3227 ########################################################## Information Exposure Through Directory Listing in the file scanner (oC-SA-2016-002) 6th January 2016 Risk level: Medium CVSS v2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) CWE: Information Exposure Through Directory Listing (CWE-548) Description Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files. This causes a massive server load and thus an enumeration of the whole server content is unlikely due to the high risk of Denial of Service. For a more technical description please take a look at the advisory of the reporter. Affected Software ownCloud Server < 8.2.2 (CVE-2016-1499) core/703b6d1803d776122ec0604cf0f3ab807033206e ownCloud Server < 8.1.5 (CVE-2016-1499) core/a4a7ee1761ddd1681e7a8d5868ae4a6c671495fa ownCloud Server < 8.0.10 (CVE-2016-1499) core/fab59179f1661da4862336fb8ea450c80def26d4 ########################################################## https://owncloud.org/security/advisory/?id=oc-sa-2016-003: Description Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "files_versions" application is enabled on the server. Affected Software ownCloud Server < 8.2.2 (CVE-2016-1500) core/b7c217290f0d1974c048bb467e2c3cee0bbc6fc2 ownCloud Server < 8.1.5 (CVE-2016-1500) core/51c6cd5c6a725b4849d995049163a0b87a9c3a58 ownCloud Server < 8.0.10 (CVE-2016-1500) core/07fb3e329b37c19d9eb6a3a114e00a09f3f2798b ownCloud Server < 7.0.12 (CVE-2016-1500) core/f746100e13dcadf8a2b6d311422a1c66c959565c
So that was what all the sudden version bump on December 22nd were about! Vulnerable versions dropped from tree: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b4b4bb2173a3001c5000536d92a097b57941e7d4
