user_migrate: Local file disclosure
Platform: ownCloud Server
Versions: 4.0.13, 4.5.8,
Risk level: High
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to import arbitrary files on the server inside his user account.
- ownCloud Server < 4.5.8 (CVE-2013-1851)
- ownCloud Server < 4.0.13 (CVE-2013-1851)
It is recommended that all instances are upgraded to ownCloud Server 4.5.9 or 4.0.13.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (email@example.com) – Vulnerability discovery and disclosure.