Updated owncloud packages fix security vulnerability
Publication date: 29 Jan 2016Modification date: 29 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1498 , CVE-2016-1499 , CVE-2016-1500
Description
A Cross-site scripting (XSS) vulnerability in the OCS discovery provider
in ownCloud Server before 8.0.10 allows remote attackers to inject
arbitrary web script or HTML via the URL resulting in a reflected
Cross-Site-Scripting (CVE-2016-1498).
ownCloud Server before 8.0.10 allows remote authenticated users to obtain
sensitive information from a directory listing and possibly cause a denial
of service (CPU consumption) via the force parameter to
index.php/apps/files/ajax/scan.php (CVE-2015-1499).
ownCloud Server before 8.0.10, when the "file_versions" application is
enabled, does not properly check the return value of getOwner, which
allows remote authenticated users to read the files with names starting
with ".v" and belonging to a sharing user by leveraging an incoming share
(CVE-2016-1500).
References
- https://bugs.mageia.org/show_bug.cgi?id=17620
- https://owncloud.org/security/advisory/?id=oc-sa-2016-001
- https://owncloud.org/security/advisory/?id=oc-sa-2016-002
- https://owncloud.org/security/advisory/?id=oc-sa-2016-003
- https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176017.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1498
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1499
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1500
SRPMS
5/core
- owncloud-8.0.10-1.mga5