Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch.
Note: Successful exploitation of this privilege escalation requires the “contacts” app to be enabled (enabled by default).
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 4.5.10 | |
owncloud server | lt | 5.0.5 |