[v2.5] Owncloud SQL Injection (oC-SA-2013-019), Multiple directory traversals (oC-SA-2013-020), Multiple XSS vulnerabilities (oC-SA-2013-021), Privilege escalation in the calendar application (oC-SA-2013-024)
Owncloud Version 4.5.11 fixes several security issues in v4.5.10.
Multiple SQL Injections (oC-SA-2013-019)
reference: http://owncloud.org/about/security/advisories/oC-SA-2013-019/
AFFECTED SOFTWARE
ownCloud Server < 5.0.6 (CVE-2013-2045)
ownCloud Server < 4.5.11 (CVE-2013-2046)
CVE IDENTIFIERS
CVE-2013-2045
CVE-2013-2046
RISK
Critical
Commits
CVE-2013-2045
stable5: e8bedd
CVE-2013-2046
stable45: 582c3ed
DESCRIPTION
ownCloud before 5.0.6 does not neutralize special elements that are
passed to the SQL query in lib/db.php which therefore allows an
authenticated attacker to execute arbitrary SQL commands.
(CVE-2013-2045)
ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the SQL query in lib/bookmarks.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2046)
Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl /
CVE-2013-2045) for discovering this vulnerability.
Multiple directory traversals (oC-SA-2013-020)
reference: http://owncloud.org/about/security/advisories/oC-SA-2013-020/
AFFECTED SOFTWARE
ownCloud Server < 5.0.6 (CVE-2013-2039, CVE-2013-2085)
ownCloud Server < 4.5.11 (CVE-2013-2039)
ownCloud Server < 4.0.15 (CVE-2013-2039)
RISK
Critical
COMMITS
CVE-2013-2039
stable5: a7f1269
stable45: 6be497c
stable4: d38c7a1
CVE-2013-2085
stable5: 1dfb757
DESCRIPTION
Multiple directory traversal vulnerabilities in (1)
apps/files_trashbin/index.php via the “dir” GET parameter and (2)
lib/files/view.php via undefined vectors in all ownCloud versions prior
to 5.0.6 and other versions before 4.0.15, allow authenticated remote
attackers to get access to arbitrary local files.
Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl) for
discovering this vulnerabilities.
Multiple XSS vulnerabilities (oC-SA-2013-021)
reference: http://owncloud.org/about/security/advisories/oC-SA-2013-021/
AFFECTED SOFTWARE
ownCloud Server < 5.0.6 (CVE-2013-2040, CVE-2013-2041,
CVE-2013-2042)
ownCloud Server < 4.5.11 (CVE-2013-2040, CVE-2013-2042)
ownCloud Server < 4.0.15 (CVE-2013-2040, CVE-2013-2042)
RISK
Medium
COMMITS
CVE-2013-2040
stable5: 8e61602
stable45: f9aeaa6
stable4: 1fb796c
CVE-2013-2041
stable5: b38a1adf, 95b45a2
CVE-2013-2042
stable5: a22cb98
stable45: f1fdeb2
stable4: df54cd
DESCRIPTION
Cross-site scripting (XSS) vulnerabilities in multiple files inside the
media application via multiple unspecified vectors in all ownCloud
versions prior to 5.0.6 and other versions before 4.0.15 allows
authenticated remote attackers to inject arbitrary web script or HTML.
(CVE-2013-2040)
Cross-site scripting (XSS) vulnerabilities in (1) apps/bookmarks/ajax/editBookmark.php via the “tag” GET parameter (CVE-2013-2041) and in (2) apps/files/js/files.js via the “dir” GET parameter to apps/files/ajax/newfile.php (CVE-2013-2041) in ownCloud 5.0.x before 5.0.6 allows authenticated remote attackers to inject arbitrary web script or HTML.
Cross-site scripting (XSS) vulnerabilities in (1) apps/bookmarks/ajax/addBookmark.php via the “url” GET parameter and in (2) apps/bookmarks/ajax/editBookmark.php via the “url” POST parameter in ownCloud 5.0.x before 5.0.6 allows authenticated remote attackers to inject arbitrary web script or HTML. (CVE-2013-2042)
Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl /
CVE-2013-2040 / CVE-2013-2041) and Kacper R. (http://devilteam.pl /
CVE-2013-2042) for discovering this vulnerabilities.
Privilege escalation in the calendar application (oC-SA-2013-024)
reference: http://owncloud.org/about/security/advisories/oC-SA-2013-024/
AFFECTED SOFTWARE
ownCloud Server < 5.0.6
ownCloud Server < 4.5.11
RISK
High
CVE
CVE-2013-2043
COMMITS
stable5: 7223754
stable45: 68daff4
DESCRIPTION
Due to not properly checking the ownership of an calendar, an
authenticated attacker is able to download calendars of other users via
the “calendar_id” GET parameter to /apps/calendar/ajax/events.php
Note: Successful exploitation of this privilege escalation requires the “calendar” app to be enabled (enabled by default).
Credits
The ownCloud Team would like to thank Mateusz Goik (aliantsoft.pl) for
discovering this vulnerability.
(from redmine: issue id 1910, created on 2013-05-18, closed on 2013-05-20)
- Changesets:
- Revision bf75571c on 2013-05-20T08:07:33Z:
main/owncloud: upgrade to 4.5.11. Fixes #1910