Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calendar_id” GET parameter to /apps/calendar/ajax/events.php
Note: Successful exploitation of this privilege escalation requires the “calendar” app to be enabled (enabled by default).
It is recommended that all instances are upgraded to ownCloud Server 5.0.6 or 4.5.11.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: