CVE-2013-0299: CSRF
First published: Fri Mar 14 2014(Updated: )
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ownCloud | <=4.0.11 | |
| ownCloud | =3.0.0 | |
| ownCloud | =3.0.1 | |
| ownCloud | =3.0.2 | |
| ownCloud | =3.0.3 | |
| ownCloud | =4.0.0 | |
| ownCloud | =4.0.1 | |
| ownCloud | =4.0.2 | |
| ownCloud | =4.0.3 | |
| ownCloud | =4.0.4 | |
| ownCloud | =4.0.5 | |
| ownCloud | =4.0.6 | |
| ownCloud | =4.0.7 | |
| ownCloud | =4.0.8 | |
| ownCloud | =4.0.9 | |
| ownCloud | =4.0.10 | |
| ownCloud | =4.5.0 | |
| ownCloud | =4.5.1 | |
| ownCloud | =4.5.2 | |
| ownCloud | =4.5.3 | |
| ownCloud | =4.5.4 | |
| ownCloud | =4.5.5 | |
| ownCloud | =4.5.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2013-0299?
CVE-2013-0299 has a medium severity rating due to its potential to allow attackers to hijack user authentication.
How do I fix CVE-2013-0299?
To fix CVE-2013-0299, upgrade to ownCloud version 4.0.12, 4.5.7, or later.
What versions of ownCloud are affected by CVE-2013-0299?
CVE-2013-0299 affects ownCloud versions prior to 4.0.12 and all 4.5.x versions before 4.5.7.
What type of vulnerability is CVE-2013-0299?
CVE-2013-0299 is classified as a cross-site request forgery (CSRF) vulnerability.
Can CVE-2013-0299 be exploited remotely?
Yes, CVE-2013-0299 can be exploited remotely by attackers to compromise user sessions.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/weakness
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/owncloud
- canonical/owncloud
- version/owncloud/4.0.11
- version/owncloud/3.0.0
- version/owncloud/3.0.1
- version/owncloud/3.0.2
- version/owncloud/3.0.3
- version/owncloud/4.0.0
- version/owncloud/4.0.1
- version/owncloud/4.0.2
- version/owncloud/4.0.3
- version/owncloud/4.0.4
- version/owncloud/4.0.5
- version/owncloud/4.0.6
- version/owncloud/4.0.7
- version/owncloud/4.0.8
- version/owncloud/4.0.9
- version/owncloud/4.0.10
- version/owncloud/4.5.0
- version/owncloud/4.5.1
- version/owncloud/4.5.2
- version/owncloud/4.5.3
- version/owncloud/4.5.4
- version/owncloud/4.5.5
- version/owncloud/4.5.6