< go back to overview

Multiple code executions

Platform: ownCloud Server

Versions: 4.0.12, 4.5.7,

Date: 2/20/2013

Risk level: High

Description

A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via

  • unspecified POST parameters to translations.php in /core/ajax/
    • Commits: 74e73bc (stable4), ece08cd (stable45)
    • Risk: Critical

A code executions vulnerability in ownCloud 4.5.6 and all prior versions (except ownCloud 4.0.x) allow authenticated remote attackers to execute arbitrary PHP code via

  • unspecified POST parameters to settings.php in /core/
    • Commits: 746aa0 (stable45)
    • Risk: Critical

Affected Software

  • ownCloud Server < 4.5.7 (CVE-2013-0303)
  • ownCloud Server < 4.0.12 (CVE-2013-0303)

Action Taken

It is recommended that all instances are upgraded to ownCloud Server 4.5.7 or 4.0.12.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this