Privilege escalation in the calendar application
Platform: ownCloud Server
Risk level: Medium
Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calid” GET parameter to export.php in /apps/calendar/
- ownCloud Server < 4.5.7 (CVE-2013-0304)
It is recommended that all instances are upgraded to ownCloud Server 4.5.8.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Romain Severin – Intrinsec – Vulnerability discovery and disclosure.