A cross-site scripting (XSS) vulnerability in all ownCloud versions
prior to 5.0.5 and 4.5.10 except the 4.0.x branch allows remote attackers to
This vulnerability exists in the bundled 3rdparty plugin
?MediaElement.js?, ?MediaElement.js? released version 2.11.2 which
addresses the problem.
The ownCloud Team would like to thank Malte Batram (batr.am) for
discovering this vulnerability and responsibly disclosing this to us
Due to not properly checking the ownership of a single contact, an
authenticated attacker is able to download contacts of other users in
all ownCloud versions prior to 5.0.5 including the 4.5.x branch.
Note: Successful exploitation of this privilege escalation requires
the ?contacts? app to be enabled (enabled by default).