Advisories ยป MGASA-2016-0040

Updated owncloud packages fix security vulnerability

Publication date: 29 Jan 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-1498 , CVE-2016-1499 , CVE-2016-1500

Description

A Cross-site scripting (XSS) vulnerability in the OCS discovery provider
in ownCloud Server before 8.0.10 allows remote attackers to inject
arbitrary web script or HTML via the URL resulting in a reflected
Cross-Site-Scripting (CVE-2016-1498).

ownCloud Server before 8.0.10 allows remote authenticated users to obtain
sensitive information from a directory listing and possibly cause a denial
of service (CPU consumption) via the force parameter to
index.php/apps/files/ajax/scan.php (CVE-2015-1499).

ownCloud Server before 8.0.10, when the "file_versions" application is
enabled, does not properly check the return value of getOwner, which
allows remote authenticated users to read the files with names starting
with ".v" and belonging to a sharing user by leveraging an incoming share
(CVE-2016-1500).
                

References

SRPMS

5/core