Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks.
An attacker could have used this to arbitrary modify existing files or rename it.
We reviewed the CSRF protection of the documents application and added checks where necessarily.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 6.0.3 |