ownCloud server 9.1.3User enumeration with error messages
Information disclosure in email field dialog at sharing
Flooding logfiles with a 1 Bit BMP File
ownCloud desktop 2.2.3Local Code Injection
ownCloud mobile iOS 3.4.4Improper validation of certificates within the iOS application
Credentials potentially leaked to other configured ownCloud instance
user_migrate: Local file disclosure (oC-SA-2013-010)
14th March 2013
Risk level: High
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to import arbitrary files on the server inside his user account.
- ownCloud Server < 4.5.8 (CVE-2013-1851)
- ownCloud Server < 4.0.13 (CVE-2013-1851)
It is recommended that all instances are upgraded to ownCloud Server 4.5.9 or 4.0.13.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. (firstname.lastname@example.org) - Vulnerability discovery and disclosure.