Last Updated: February 21, 2020

Description

A reflected and DOM-based XSS vulnerability was addressed in mycloud.com cloud services which could allow an attacker to exfiltrate a user’s session and take over their cloud account. The victim can be tricked into issuing a request which could be used to execute a malicious script.

Advisory Summary

Resolved an issue where an attacker can execute arbitrary code in a user’s current browser session. With this XSS vulnerability, a malicious third-party website could modify the session cookie with a payload to help take over a victim’s browser. An attacker could then execute arbitrary code in the user’s browser session and access application data.

Affected cloud service URLs include idp.mycloud.com and files.mycloud.com. The vulnerability is fixed in the latest update version 2.2.0-134

CVE Number: CVE-2020-8960

Reported by: Frantisek Uhrecky