| Summary: | <www-apps/owncloud-{4.0.13,4.5.8}: multiple security issues (CVE-2013-{1822,1850,1851}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Bernard Cafarelli <voyageur> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | alexxy, maxime.deroucy, voyageur, web-apps |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://owncloud.org/changelog/ | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Bernard Cafarelli
2013-03-14 08:54:12 UTC
(In reply to comment #0) > See upstream changelog > > New versions bumped in tree (4.0.13, 4.5.8, 5.0.0), and vulnerable ones were > removed Thanks, Bernard! Closing noglsa for ~arch only. *** Bug 461702 has been marked as a duplicate of this bug. *** CVE-2013-1851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1851): Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors. CVE-2013-1850 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1850): Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file. CVE-2013-1822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1822): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.8 allow remote authenticated users with administrator privileges to inject arbitrary web script or HTML via the (1) quota parameter to /core/settings/ajax/setquota.php, or remote authenticated users with group admin privileges to inject arbitrary web script or HTML via the (2) group field to settings.php or (3) "share with" field. |
