Server: Privilege escalation in the contacts application

ID OC-SA-2013-018
Type owncloud
Reporter ownCloud
Modified 2013-04-19T11:42:22


Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch.

Note: Successful exploitation of this privilege escalation requires the "contacts" app to be enabled (enabled by default).

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0