CSRF in documents
Platform: ownCloud Server
Risk level: Low
Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks.
An attacker could have used this to arbitrary modify existing files or rename it.
- ownCloud Server < 6.0.3 (CVE-2014-3836)
We reviewed the CSRF protection of the documents application and added checks where necessarily.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.