Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via
- the “lat” and “lng” POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ (CVE-2013-0299)
- Commits: 452a626 (stable45), 015ac6a (stable4)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
- Impact: An attacker may be able to change the timezone of the user.
- the “timezonedetection” POST parameter to timezonedetection.php in /apps/calendar/ajax/settings/ (CVE-2013-0299)
- Commits: 452a626 (stable45) , 97d0cee (stable4)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
- Impact: An attacker may be able to disable or enable the automatic timezone detection.
- the “admin_export” POST parameter to settings.php in /apps/admin_migrate/ (CVE-2013-0299)
- Commits: bc93744 (stable45), 28dc89e (stable4)
- Risk: Moderate
- Note: Successful exploitation of this CSRF requires the “admin_migrate” app to be enabled (disabled by default).
- Impact: An attacker may be able to import an user account.
- the “operation” POST parameter to export.php in /apps/user_migrate/ajax/ (CVE-2013-0299)
- Commits: 2de405a (stable45), de9befd (stable4)
- Risk: Moderate
- Note: Successful exploitation of this CSRF requires the “user_migrate” app to be enabled (disabled by default).
- Impact: An attacker may be able to overwrite files of the logged in user.
- multiple unspecified POST parameters to settings.php in /apps/user_ldap/ (CVE-2013-0299)
- Commits: 5ec272d (stable45), b966095 (stable4)
- Risk: High
- Note: Successful exploitation of this CSRF requires the “user_ldap” app to be enabled (disabled by default).
- Impact: An attacker may be able to change the authentication server URL.
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.6 and all prior versions (except 4.0.x) allows remote attackers to hijack the authentication for users via
- the “v” POST parameter to changeview.php in /apps/calendar/ajax/ (CVE-2013-0300)
- Commits: 452a626 (stable45)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
- Impact: An attacker may be able to change the default view of an user.
- multiple unspecified parameters to addRootCertificate.php, dropbox.php and google.php in /apps/files_external/ajax/ (CVE-2013-0300)
- Commits: 2e819d6 + 24a7381e9f (stable45)
- Risk: Medium
- Note: Successful exploitation of this CSRF requires the “files_external” app to be enabled (disabled by default).
- Impact: An attacker may be able to mount arbitrary Google Drive or Dropbox folders to the internal filesystem.
- multiple unspecified POST parameters to settings.php in /apps/user_webdavauth/ (CVE-2013-0300)
- Commits: 9282641 (stable45)
- Risk: High
- Note: Successful exploitation of this CSRF requires the “user_webdavauth” app to be enabled (disabled by default).
- Impact: An attacker may be able to change the authentication server URL.
A cross-site request forgery (CSRF) vulnerability in ownCloud 4.0.11 and all prior versions allows remote attackers to hijack the authentication for users via
- the “timezone” POST parameter to settimezone in /apps/calendar/ajax/settings/ (CVE-2013-0301)
- Commits: 97d0cee (stable4)
- Risk: Negligible
- Note: Successful exploitation of this CSRF requires the “calendar” app to be enabled (enabled by default).
- Impact: An attacker may be able to change the timezone of an user.
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0