CVE-2012-4393
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
11cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 8 more
- cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
5- github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58fnvdExploitPatch
- github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745nvdExploitPatch
- owncloud.org/changelog/nvd
- www.openwall.com/lists/oss-security/2012/08/11/1nvd
- www.openwall.com/lists/oss-security/2012/09/02/2nvd
News mentions
0No linked articles in our index yet.