Privilege escalation and CSRF in the API (oC-SA-2013-025)


AFFECTED SOFTWARE

  • ownCloud Server < 5.0.6

RISK

  • High

CVE

  • CVE-2013-2048

COMMITS

DESCRIPTION

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability.

RESOLUTION

Update to ownCloud Server 5.0.6
http://download.owncloud.org/community/owncloud-5.0.6.tar.bz2