Version 4.5.7 Feb 20th 2013 Fix for 3rd party apps dropping the database Fix SubAdmins management Fix PHP warnings Fix compatibility with some CIFS shares More robust apps management Remove not needed AWS tests Improved mime type parsing Several sharing fixes Offer the option to change the password only supported by the backend More robust auto language detection Revoke DB rights on install only if the db is newly created Fix rendering of database connection error page LDAP: update quota more often Multiple XSS vulnerabilities (oC-SA-2013-003) Multiple CSRF vulnerabilities (oC-SA-2013-004) PHP settings disclosure (oC-SA-2013-005) Multiple code executions (oC-SA-2013-006) Privilege escalation in the calendar application (oC-SA-2013-007) Reproducible: Always
Multiple security vulnerabilities (http://owncloud.org/about/security/advisories/) affecting: ownCloud Server < 4.5.7 ownCloud Server < 4.0.12 @Security team please advise.
Thanks for the report and information. Maintainers, please bump to 4.0.12 and 4.5.7 and cleanup vulnerable versions.
*** Bug 458612 has been marked as a duplicate of this bug. ***
Sorry for the delay, 4.0.12 and 4.5.7 are now in tree, and I removed vulnerable versions
Thank you very much Bernard!
(In reply to comment #4) > Sorry for the delay, 4.0.12 and 4.5.7 are now in tree, and I removed > vulnerable versions Thanks, Bernard. Closing noglsa for ~arch only.
CVE-2013-0307 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0307): Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter. CVE-2013-0304 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0304): ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is. CVE-2013-0303 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0303): Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344. CVE-2013-0302 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0302): Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK. CVE-2013-0301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0301): Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter. CVE-2013-0300 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0300): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the default view via the v parameter to apps/calendar/ajax/changeview.php, mount arbitrary (2) Google Drive or (3) Dropbox folders via vectors related to addRootCertificate.php, dropbox.php and google.php in apps/files_external/ajax/, or (4) change the authentication server URL via unspecified vectors to apps/user_webdavauth/settings.php. CVE-2013-0299 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0299): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php. CVE-2013-0298 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0298): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted iCalendar file to the calendar application, the (2) dir or (3) file parameter to apps/files_pdfviewer/viewer.php, or the (4) mountpoint parameter to /apps/files_external/addMountPoint.php. CVE-2013-0297 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0297): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php.
