ownCloud server 9.1.3User enumeration with error messages
Information disclosure in email field dialog at sharing
Flooding logfiles with a 1 Bit BMP File
ownCloud desktop 2.2.3Local Code Injection
ownCloud mobile iOS 3.4.4Improper validation of certificates within the iOS application
Credentials potentially leaked to other configured ownCloud instance
Code execution in /lib/migrate.php (oC-SA-2012-004)
20th December 2012
Risk level: High
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows authenticated remote attackers to execute arbitrary code by uploading a crafted mount.php file in an imported ZIP file.
- ownCloud Server < 4.0.10 (CVE-2013-5665)
- ownCloud Server < 4.5.5 (CVE-2013-5665)
It is recommended that all instances are upgraded to ownCloud Server 4.5.5 or 4.0.10.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Felix Richter - Vulnerability discovery and disclosure.