Security Advisory

Back to advisories

Multiple SQL injection (oC-SA-2013-019)

14th May 2013

Risk level: High

Description

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2045)

ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the SQL query in lib/bookmarks.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2046)

Affected Software

  • ownCloud Server < 5.0.6 (CVE-2013-2045)
  • ownCloud Server < 4.5.11 (CVE-2013-2046)

Action Taken

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Mateusz Goik - AliantSoft () - Vulnerability discovery and disclosure.