Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 461704

Summary: <www-apps/owncloud-{4.0.13,4.5.8}: multiple security issues (CVE-2013-{1822,1850,1851})
Product: Gentoo Security Reporter: Bernard Cafarelli <voyageur>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: alexxy, maxime.deroucy, voyageur, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://owncloud.org/changelog/
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---

Description Bernard Cafarelli gentoo-dev 2013-03-14 08:54:12 UTC
See upstream changelog

New versions bumped in tree (4.0.13, 4.5.8, 5.0.0), and vulnerable ones were removed
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-14 12:59:05 UTC
(In reply to comment #0)
> See upstream changelog
> 
> New versions bumped in tree (4.0.13, 4.5.8, 5.0.0), and vulnerable ones were
> removed

Thanks, Bernard!

Closing noglsa for ~arch only.
Comment 2 Bernard Cafarelli gentoo-dev 2013-03-14 18:02:16 UTC
*** Bug 461702 has been marked as a duplicate of this bug. ***
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-06-08 00:32:36 UTC
CVE-2013-1851 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1851):
  Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before
  4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled,
  allows remote authenticated users to import arbitrary files to the user's
  account via unspecified vectors.

CVE-2013-1850 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1850):
  Multiple incomplete blacklist vulnerabilities in (1) import.php and (2)
  ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x
  before 4.5.8 allow remote authenticated users to execute arbitrary PHP code
  by uploading a .htaccess file.

CVE-2013-1822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1822):
  Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before
  4.5.8 allow remote authenticated users with administrator privileges to
  inject arbitrary web script or HTML via the (1) quota parameter to
  /core/settings/ajax/setquota.php, or remote authenticated users with group
  admin privileges to inject arbitrary web script or HTML via the (2) group
  field to settings.php or (3) "share with" field.