Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use
- addBookmark.php in bookmarks/ajax/
- delBookmark.php in bookmarks/ajax/
- editBookmark.php in bookmarks/ajax/
- calendar/delete.php in calendar/ajax/
- calendar/edit.php in calendar/ajax/
- calendar/new.php in calendar/ajax/
- calendar/update.php in calendar/ajax/
- event/delete.php in calendar/ajax/
- event/edit.php in calendar/ajax/
- event/move.php in calendar/ajax/
- event/new.php in calendar/ajax/
- import/import.php in calendar/ajax/
- settings/setfirstday.php in calendar/ajax/
- settings/settimeformat.php in calendar/ajax/
- share/changepermission.php in calendar/ajax/
- share/share.ph in calendar/ajax/
- share/unshare.php in calendar/ajax/
- external/ajax/setsites.php in apps/
- files/ajax/delete.php in apps/
- files/ajax/move.php in apps/
- files/ajax/newfile.php in apps/
- files/ajax/newfolder.php in apps/
- files/ajax/rename.php in apps/
- files_sharing/ajax/email.php in apps/
- files_sharing/ajax/setpermissions.php in apps/
- files_sharing/ajax/share.php in apps/
- files_sharing/ajax/toggleresharing.php in apps/
- files_sharing/ajax/togglesharewitheveryone.php in apps/
- files_sharing/ajax/unshare.php in apps/
- files_texteditor/ajax/savefile.php in apps/
- files_versions/ajax/rollbackVersion.php in apps/
- gallery/ajax/createAlbum.php in apps/
- gallery/ajax/sharing.php in apps/
- tasks/ajax/addtask.php in apps/
- tasks/ajax/addtaskform.php in apps/
- tasks/ajax/delete.php in apps/
- tasks/ajax/edittask.php in apps/
or administrators for requests that use
- changepassword.php in settings/ajax/
- creategroup.php in settings/ajax/
- createuser.php in settings/ajax/
- disableapp.php in settings/ajax/
- enableapp.php in settings/ajax/
- lostpassword.php in settings/ajax/
- removegroup.php in settings/ajax/
- removeuser.php in settings/ajax/
- setlanguage.php in settings/ajax/
- setloglevel.php in settings/ajax/
- setquota.php in settings/ajax/
- togglegroups.php in settings/ajax/
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0