contacts: SQL Injection
Platform: ownCloud Server
Risk level: High
ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands.
- ownCloud Server < 5.0.1 (CVE-2013-1893)
It is recommended that all instances are upgraded to ownCloud Server 5.0.1.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Alexander Bürger – Vulnerability discovery and disclosure.