Vulnerability Description
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Owncloud | Owncloud | <= 4.0.5 |
| Owncloud | Owncloud Server | 3.0.0 |
Related Weaknesses (CWE)
References
- http://owncloud.org/changelog/
- http://www.openwall.com/lists/oss-security/2012/08/11/1
- http://www.openwall.com/lists/oss-security/2012/09/02/2
- https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58fExploitPatch
- https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745ExploitPatch
- http://owncloud.org/changelog/
- http://www.openwall.com/lists/oss-security/2012/08/11/1
- http://www.openwall.com/lists/oss-security/2012/09/02/2
- https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58fExploitPatch
- https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745ExploitPatch
FAQ
What is CVE-2012-4393?
CVE-2012-4393 is a vulnerability with a CVSS score of 6.8 (MEDIUM). Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2...
How severe is CVE-2012-4393?
CVE-2012-4393 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2012-4393?
Check the references section above for vendor advisories and patch information. Affected products include: Owncloud Owncloud, Owncloud Owncloud Server.