Privilege escalation and CSRF in the API
Platform: ownCloud Server
Risk level: Medium
Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability.
- ownCloud Server < 5.0.6 (CVE-2013-2048)
It is recommended that all instances are upgraded to ownCloud Server 5.0.6.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (email@example.com) – Vulnerability discovery and disclosure.