Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 469844 (CVE-2013-2046)

Summary: <www-apps/owncloud-{4.0.15,4.5.11,5.0.6}: multiple security issues (CVE-2013-{2039,2040,2041,2042,2043,2044,2045,2046,2047,2048})
Product: Gentoo Security Reporter: Bernard Cafarelli <voyageur>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alexxy, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://owncloud.org/changelog/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Bernard Cafarelli gentoo-dev 2013-05-14 15:20:43 UTC 
As per upstream changelog

New versions bumped in tree (5.0.6, 4.5.11 and 4.0.15) and vulnerable versions removed
Comment 1 Agostino Sarubbo gentoo-dev 2013-05-15 13:13:10 UTC 
thanks for the report/bump.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-06-08 00:28:40 UTC 
CVE-2013-2048 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2048):
  ownCloud before 5.0.6 does not properly check permissions, which allows
  remote authenticated users to execute arbitrary API commands via unspecified
  vectors.  NOTE: this can be leveraged using CSRF to allow remote attackers
  to execute arbitrary API commands.

CVE-2013-2047 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2047):
  The login page (aka index.php) in ownCloud before 5.0.6 does not disable the
  autocomplete setting for the password parameter, which makes it easier for
  physically proximate attackers to guess the password.

CVE-2013-2046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2046):
  SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x
  before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to
  execute arbitrary SQL commands via unspecified vectors.

CVE-2013-2045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2045):
  SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before
  5.0.6 allows remote authenticated users to execute arbitrary SQL commands
  via unspecified vectors.

CVE-2013-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2044):
  Open redirect vulnerability in the Login Page (index.php) in ownCloud before
  5.0.6 allows remote attackers to redirect users to arbitrary web sites and
  conduct phishing attacks via a URL in the redirect_url parameter.

CVE-2013-2043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2043):
  apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6
  does not properly check the ownership of a calendar, which allows remote
  authenticated users to download arbitrary calendars via the calendar_id
  parameter.

CVE-2013-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2042):
  Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before
  4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote
  authenticated users to inject arbitrary web script or HTML via the url
  parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2)
  apps/bookmarks/ajax/editBookmark.php.

CVE-2013-2041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2041):
  Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before
  5.0.6 allow remote authenticated users to inject arbitrary web script or
  HTML via the (1) tag parameter to apps/bookmarks/ajax/addBookmark.php or (2)
  dir parameter to apps/files/ajax/newfile.php, which is passed to
  apps/files/js/files.js.

CVE-2013-2040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2040):
  Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before
  4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote
  authenticated users to inject arbitrary web script or HTML via unspecified
  vectors.

CVE-2013-2039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2039):
  Directory traversal vulnerability in lib/files/view.php in ownCloud before
  4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users
  to access arbitrary files via unspecified vectors.