Due to not verifying the CSRF token on the import functionality of the “bookmarks” application, it was vulnerable against CSRF attacks.
The “bookmarks” application is disabled by default.
An unauthenticated attacker could have used this to import bookmarks into the “bookmarks” application if the victim visits a specially crafted website and is logged-in into the ownCloud instance at the same time.
Furthermore, an unauthenticated attacker could leverage this vulnerability with oC-SA-2014-028 resulting in a potential Cross-site scripting vulnerability.
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 5.0.18 | |
owncloud server | lt | 6.0.6 | |
owncloud server | lt | 7.0.3 |