Privilege escalation in the contacts application (oC-SA-2013-018)


Issued on:

18.04.2013

CVE:

CVE-2013-1963

Affected Software:
  • ownCloud Server < 5.0.5
  • ownCloud Server < 4.5.10
Risk:

High

Commits: Description

Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch.

Note: Successful exploitation of this privilege escalation requires the “contacts” app to be enabled (enabled by default).