Server: Privilege escalation and CSRF in the API

2013-05-14T11:42:22
ID OC-SA-2013-025
Type owncloud
Reporter ownCloud
Modified 2013-05-14T11:42:22

Description

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability.


For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0