Lucene search

Mateusz Goik – AliantSoft – Vulnerability discovery and disclosure.OWNCLOUD:F7C62A791E7546A588F3821CD0BD07F2

HistoryMay 14, 2013 - 6:06 p.m.

Multiple SQL injection - ownCloud

2013-05-1418:06:53

Mateusz Goik – AliantSoft – Vulnerability discovery and disclosure.

owncloud.org

0.002 Low

EPSS

Percentile

56.2%

JSON

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2045)

ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the SQL query in lib/bookmarks.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2046)

Affected Software

ownCloud Server < 5.0.6 (CVE-2013-2045)
ownCloud Server < 4.5.11 (CVE-2013-2046)

Action Taken

It is recommended that all instances are upgraded to ownCloud Server 5.0.6, 4.5.11 or 4.0.15.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

Mateusz Goik - AliantSoft - Vulnerability discovery and disclosure.

CPENameOperatorVersion
owncloud serverlt5.0.6
owncloud serverlt4.5.11

CPE	Name	Operator	Version
	owncloud server	lt	5.0.6
	owncloud server	lt	4.5.11

0.002 Low

EPSS

Percentile

56.2%

JSON

Related for OWNCLOUD:F7C62A791E7546A588F3821CD0BD07F2