A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.4 including the 4.x branch allows remote attackers to
This vulnerability exists in the used 3rdparty plugin ?jPlayer?,
?jPlayer? released version 2.2.20 which addresses the problem. This
version is not yet officially released and only available via their
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
Due to not rejecting ?\? as path separator in all ownCloud versions
prior to 5.0.4 including the 4.x branch an authenticated remote
attacker is able to download arbitrary files from the server when
running under Windows.
This vulnerability exists inside our used DAV implementation
?SabreDAV? and was found by the ownCloud security team. SabreDAV
released fixed versions to address this problem.