Lucene search
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:C7B25A64BFED521BD4973F10ACAC4E6BHistoryJul 01, 2012 - 5:19 p.m.
Several CSRF security fixes - ownCloud
2012-07-0117:19:52
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
23
0.004 Low
EPSS
Percentile
72.3%
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use
- addBookmark.php in bookmarks/ajax/
- delBookmark.php in bookmarks/ajax/
- editBookmark.php in bookmarks/ajax/
- calendar/delete.php in calendar/ajax/
- calendar/edit.php in calendar/ajax/
- calendar/new.php in calendar/ajax/
- calendar/update.php in calendar/ajax/
- event/delete.php in calendar/ajax/
- event/edit.php in calendar/ajax/
- event/move.php in calendar/ajax/
- event/new.php in calendar/ajax/
- import/import.php in calendar/ajax/
- settings/setfirstday.php in calendar/ajax/
- settings/settimeformat.php in calendar/ajax/
- share/changepermission.php in calendar/ajax/
- share/share.ph in calendar/ajax/
- share/unshare.php in calendar/ajax/
- external/ajax/setsites.php in apps/
- files/ajax/delete.php in apps/
- files/ajax/move.php in apps/
- files/ajax/newfile.php in apps/
- files/ajax/newfolder.php in apps/
- files/ajax/rename.php in apps/
- files_sharing/ajax/email.php in apps/
- files_sharing/ajax/setpermissions.php in apps/
- files_sharing/ajax/share.php in apps/
- files_sharing/ajax/toggleresharing.php in apps/
- files_sharing/ajax/togglesharewitheveryone.php in apps/
- files_sharing/ajax/unshare.php in apps/
- files_texteditor/ajax/savefile.php in apps/
- files_versions/ajax/rollbackVersion.php in apps/
- gallery/ajax/createAlbum.php in apps/
- gallery/ajax/sharing.php in apps/
- tasks/ajax/addtask.php in apps/
- tasks/ajax/addtaskform.php in apps/
- tasks/ajax/delete.php in apps/
- tasks/ajax/edittask.php in apps/
or administrators for requests that use
- changepassword.php in settings/ajax/
- creategroup.php in settings/ajax/
- createuser.php in settings/ajax/
- disableapp.php in settings/ajax/
- enableapp.php in settings/ajax/
- lostpassword.php in settings/ajax/
- removegroup.php in settings/ajax/
- removeuser.php in settings/ajax/
- setlanguage.php in settings/ajax/
- setloglevel.php in settings/ajax/
- setquota.php in settings/ajax/
- togglegroups.php in settings/ajax/
Affected Software
- ownCloud Server < 4.0.6 (CVE-2012-4393)
Action Taken
It is recommended that all instances are upgraded to ownCloud Server 4.0.7.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.
| CPE | Name | Operator | Version |
|---|---|---|---|
| owncloud server | lt | 4.0.6 |
Related
cve
cve
CVE-2012-4393
2022-10-03 16:15:32
CVE-2012-4752
2022-10-03 16:15:34
ubuntucve
ubuntucve
CVE-2012-4393
2012-09-05 00:00:00
CVE-2012-4752
2012-09-05 00:00:00
prion
prion
Cross site request forgery (csrf)
2012-09-05 23:55:00
Code injection
2012-09-05 23:55:00
nvd
nvd
CVE-2012-4393
2012-09-05 23:55:02
CVE-2012-4752
2012-09-05 23:55:03
owncloud
owncloud
Server: Several CSRF security fixes
2012-07-01 11:42:22
Auth bypass in index.php - ownCloud
2012-07-01 17:18:39
Server: Auth bypass in index.php
2012-07-01 11:42:22
cvelist
cvelist
CVE-2012-4393
2022-10-03 16:15:32
CVE-2012-4752
2022-10-03 16:15:34
openvas
openvas
ownCloud < 4.0.6 Multiple Vulnerabilities (oC-SA-2012-016, oC-SA-2012-017)
2021-09-21 00:00:00