Icewind1991

**Name of the Vulnerable Software and Affected Versions** ownCloud versions prior to 4.0.9 ownCloud versions 4.5.x prior to 4.5.2 **Description** The issue allows remote authenticated users to execute arbitrary PHP code by uploading a file with a specially crafted name due to an incomplete blacklist vulnerability in lib/filesystem.php. **Recommendations** For ownCloud versions prior to 4.0.9, update to version 4.0.9 or later. For ownCloud versions 4.5.x prior to 4.5.2, update to version 4.5.2 or later.

**Name of the Vulnerable Software and Affected Versions** ownCloud versions prior to 4.0.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different ownCloud components. This includes file names, url, title, tag, page, identity, stack name, root, calendar displayname, calendar uri, title, location, description, and certain vectors in JavaScript files, as well as artist, album, or title comments. **Recommendations** For ownCloud versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected components, such as apps/user ldap/settings.php, apps/bookmarks/ajax/editBookmark.php, and apps/gallery/lib/tiles.php, until a patch is available. Avoid using the vulnerable parameters, such as `url`, `title`, `tag`, `page`, `identity`, `stack name`, `root`, `calendar displayname`, `calendar uri`, `title`, `location`, `description`, `artist`, `album`, or `title comments`, in the affected API endpoints and scripts, like apps/bookmarks/ajax/updateList.php and apps/media/lib scanner.php, until the issue is resolved.