Security Advisory

Back to advisories

contacts: SQL Injection (oC-SA-2013-012)

2nd April 2013

Risk level: High

Description

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands.

Affected Software

  • ownCloud Server < 5.0.1 (CVE-2013-1893)

Action Taken

It is recommended that all instances are upgraded to ownCloud Server 5.0.1.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Alexander B├╝rger - Vulnerability discovery and disclosure.