ownCloud 4.0.6 and all versions previous to this doesn’t sufficiently verify whether a request to appconfig.php was sent by an admin, which allows remote authenticated users to edit app configurations.
NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393.
It is recommended that all instances are upgraded to ownCloud Server 4.0.7.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
CPE | Name | Operator | Version |
---|---|---|---|
owncloud server | lt | 4.0.6 |