CVE-2013-0304

Published: Jun 5, 2014Modified: May 6, 2026

4.0

Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability: 8.0 / Impact: 2.9

Source: NVD

Description

ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.

Affected (7)

Products: Owncloud: Owncloud, Owncloud Server

Owncloud

2 products

Owncloud

Owncloud Server

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Owncloud Owncloud	Up to 4.5.6
Owncloud Owncloud Server	Version 4.5.0
Owncloud Owncloud Server	Version 4.5.1
Owncloud Owncloud Server	Version 4.5.2
Owncloud Owncloud Server	Version 4.5.3
Owncloud Owncloud Server	Version 4.5.4
Owncloud Owncloud Server	Version 4.5.5

Related CWEs

CWE-264

References (4)

http://owncloud.org/about/security/advisories/oC-SA-2013-007/

Source: secalert@redhat.com

Vendor Advisory

http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf

Source: secalert@redhat.com

http://owncloud.org/about/security/advisories/oC-SA-2013-007/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.