Privilege escalation in the calendar application
Platform: ownCloud Server
Versions: 4.5.11, 5.0.6,
Risk level: Medium
Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calendar_id” GET parameter to /apps/calendar/ajax/events.php
Note: Successful exploitation of this privilege escalation requires the “calendar” app to be enabled (enabled by default).
- ownCloud Server < 5.0.6 (CVE-2013-2043)
- ownCloud Server < 4.5.11 (CVE-2013-2043)
It is recommended that all instances are upgraded to ownCloud Server 5.0.6 or 4.5.11.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Mateusz Goik – AliantSoft – Vulnerability discovery and disclosure.