CVE-2013-0300

Published: Mar 14, 2014Modified: May 6, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the default view via the v parameter to apps/calendar/ajax/changeview.php, mount arbitrary (2) Google Drive or (3) Dropbox folders via vectors related to addRootCertificate.php, dropbox.php and google.php in apps/files_external/ajax/, or (4) change the authentication server URL via unspecified vectors to apps/user_webdavauth/settings.php.

Affected (7)

Products: Owncloud: Owncloud Server

Owncloud

1 product

Owncloud Server

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Owncloud Owncloud Server	Version 4.5.0
Owncloud Owncloud Server	Version 4.5.1
Owncloud Owncloud Server	Version 4.5.2
Owncloud Owncloud Server	Version 4.5.3
Owncloud Owncloud Server	Version 4.5.4
Owncloud Owncloud Server	Version 4.5.5
Owncloud Owncloud Server	Version 4.5.6

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

http://owncloud.org/about/security/advisories/oC-SA-2013-004/

Source: secalert@redhat.com

Vendor Advisory

http://owncloud.org/about/security/advisories/oC-SA-2013-004/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.