# XSS vulnerability in jPlayer (oC-SA-2013-014) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-014/
## CVE IDENTIFIERS - CVE-2013-1942 (jPlayer) ## AFFECTED SOFTWARE - ownCloud Server < 5.0.4 - ownCloud Server < 4.5.9 - ownCloud Server < 4.0.14 ## RISK - High ## COMMITS - 53672a0 (stable5) - 8716b7f (stable45) - 60f6bfa (stable4) ## DESCRIPTION A cross-site scripting (XSS) vulnerability in all ownCloud versions prior to 5.0.4 including the 4.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the used 3rdparty plugin “jPlayer”, “jPlayer” released version 2.2.20 which addresses the problem. This version is not yet officially released and only available via their GIT repository. ## CREDITS The ownCloud Team would like to thank Malte Batram (batr.am) for discovering this vulnerability and responsibly disclosing this to us and upstream. ## RESOLUTION Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14 http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2 http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2 --------------------------------------- # Postgre: Insecure database password generator (oC-SA-2013-015) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-015/ ## CVE IDENTIFIERS - CVE-2013-1941 ## AFFECTED SOFTWARE - ownCloud Server < 5.0.4 - ownCloud Server < 4.5.9 - ownCloud Server < 4.0.14 ## RISK - Critical ## COMMITS - 9a4fe09 (stable5) - 463039d (stable45) - cdd10ba (stable4) ## DESCRIPTION Due to using “time()” as random source in the installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. We recommend every PostgreSQL admin to change the database user password as soon as possible! Note: This vulnerability affects just servers using PostgreSQL as database. ## RESOLUTION Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14 http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2 http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2 --------------------------------------- # Windows: Local file disclosure (oC-SA-2013-016) Web: https://owncloud.org/about/security/advisories/oC-SA-2013-016/ ## CVE IDENTIFIERS - CVE-2013-1939 (SabreDAV) ## AFFECTED SOFTWARE - ownCloud Server < 5.0.4 - ownCloud Server < 4.5.9 - ownCloud Server < 4.0.14 ## RISK - High ## COMMITS - c23a065 (stable5) - ade2831 (stable45) - 792c5ec (stable4) ## DESCRIPTION Due to not rejecting “\” as path separator in all ownCloud versions prior to 5.0.4 including the 4.x branch an authenticated remote attacker is able to download arbitrary files from the server when running under Windows. This vulnerability exists inside our used DAV implementation “SabreDAV” and was found by the ownCloud security team. SabreDAV released fixed versions to address this problem. ## RESOLUTION Update to ownCloud Server 5.0.4, 4.5.9 or 4.0.14 http://download.owncloud.org/community/owncloud-5.0.4.tar.bz2 http://download.owncloud.org/community/owncloud-4.5.9.tar.bz2 http://download.owncloud.org/community/owncloud-4.0.13.tar.bz2 -- ownCloud Your Cloud, Your Data, Your Way! GPG: 0xEB32B77BA406BE99 _______________________________________________ Announcements mailing list [email protected] http://mailman.owncloud.org/mailman/listinfo/announcements
