Security Advisory

Back to advisories

Multiple SQL injection (oC-SA-2013-019)

14th May 2013

Risk level: High

Description

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2045)

ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the SQL query in lib/bookmarks.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. (CVE-2013-2046)

Affected Software

  • ownCloud Server < 5.0.6 (CVE-2013-2045)
  • ownCloud Server < 4.5.11 (CVE-2013-2046)

Action Taken

It is recommended that all instances are upgraded to ownCloud Server 5.0.6, 4.5.11 or 4.0.15.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Mateusz Goik - AliantSoft - Vulnerability discovery and disclosure.