CVE-2013-0201

Vulnerability

Multiple reflected cross-site scripting (XSS) vulnerabilities exist in ownCloud versions 4.5.5, 4.0.10, and earlier. The application fails to sanitize user-supplied input before reflecting it in HTTP responses. Three distinct vectors are identified: (1) the QUERY_STRING in core/lostpassword/templates/resetpassword.php, (2) the mime parameter in apps/files/ajax/mimeicon.php, and (3) the token parameter in apps/gallery/sharing.php [1][2].

Exploitation

An unauthenticated remote attacker can craft a malicious URL containing arbitrary HTML or JavaScript in the vulnerable parameter. For example, appending a script to the query string of the reset password page or injecting code via the mime or token parameters. The attacker must then trick a victim into visiting the crafted URL, typically through social engineering or by embedding the link in a third-party site.

Impact

Successful exploitation allows the attacker to execute arbitrary web script in the victim's browser within the ownCloud session context. This can lead to session hijacking, theft of sensitive data, or unauthorized actions performed on behalf of the victim. The impact is limited to the victim's user privileges within the ownCloud instance.

Mitigation

Fixes for the first two vectors are available in the ownCloud core repository: commit 4e2b834 addresses the QUERY_STRING issue by using GET instead [1], and commit b8e0309 sanitizes the mime parameter by replacing backslashes [2]. The third vector (token parameter) is not addressed in the provided references; users should upgrade to a version that includes patches for all vectors (e.g., ownCloud 4.5.6 or later) or apply input validation as a workaround. No KEV listing is known.