Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET
.
The session is now regenerated after a successful login.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: