Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 453604 (CVE-2013-0201)

Summary: <www-apps/owncloud-{4.0.11,4.5.6}: Security bump - XSS and PHP code execution (CVE-2013-{0201,0202,0203,0204})
Product: Gentoo Security Reporter: Bernard Cafarelli <voyageur>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: kripton, voyageur
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://owncloud.org/releases/Changelog
Whiteboard: ~2 [noglsa]
Package list:
Runtime testing required: ---

Description Bernard Cafarelli gentoo-dev 2013-01-23 01:01:53 UTC 
From upstream changelog:
- Security: Fix multiple XSS problems: CVE-2013-0201,  CVE-2013-0202, CVE-2013-0203
- Security: Removed remoteStorage app because of unfixed security problems.
(4.5.6 only) - Security: Fix Code execution in external storage: CVE-2013-0204

4.0.11 and 4.5.6 are in tree now, vulnerable versions removed
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-01-24 19:43:26 UTC 
Thanks, Bernard. 

Closing noglsa for ~arch only.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-06-08 00:31:47 UTC 
CVE-2013-0204 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0204):
  settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote
  authenticated users to execute arbitrary PHP code via crafted mount point
  settings.

CVE-2013-0201 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0201):
  Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5,
  4.0.10, and earlier allow remote attackers to inject arbitrary web script or
  HTML via the (1) QUERY_STRING to
  core/lostpassword/templates/resetpassword.php, (2) mime parameter to
  apps/files/ajax/mimeicon.php, or (3) token parameter to
  apps/gallery/sharing.php.