contacts: SQL Injection (oC-SA-2013-012)


Issued on:

25.03.2013

CVE:
  • CVE-2013-1893
Affected Software:
  • ownCloud Server < 5.0.1
Risk:

Critical

Commits
  • stable5: c1b62af
Description

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands.

Note: Successful exploitation of this vulnerability requires the contacts application to be enabled. (enabled by default)
Credits

The ownCloud Team would like to thank Alexander B├╝rger for discovering this vulnerability.