Privilege escalation in the contacts application
Platform: ownCloud Server
Versions: 4.5.10, 5.0.5,
Risk level: Medium
Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch.
Note: Successful exploitation of this privilege escalation requires the “contacts” app to be enabled (enabled by default).
- ownCloud Server < 5.0.5 (CVE-2013-1963)
- ownCloud Server < 4.5.10 (CVE-2013-1963)
It is recommended that all instances are upgraded to ownCloud Server 5.0.5 or 4.5.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.