Calendar export: Authorization Bypass Through User-Controlled Key
Platform: ownCloud Server
Versions: 7.0.8, 8.0.6, 8.1.1,
Date: 8/25/2015
Risk level: Low
CVSS v2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: Authorization Bypass Through User-Controlled Key (CWE-639)
Description
Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calid” GET parameter to export.php in /apps/calendar/
Affected Software
- ownCloud Server < 8.1.1 (CVE-2015-6670)
- ownCloud Server < 8.0.6 (CVE-2015-6670)
- ownCloud Server < 7.0.8 (CVE-2015-6670)
Action Taken
The vulnerable component has been fixed.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Ralf Vroomen – Vulnerability discovery and disclosure.