Description
The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."
Remediation
References
Related Vulnerabilities
WordPress Plugin WP-Predict 'predictId' Parameter Blind SQL Injection (1.0)
Oracle Database Server CVE-2009-1992 Vulnerability (CVE-2009-1992)
Squid Resource Management Errors Vulnerability (CVE-2011-4096)
Internet Information Services Other Vulnerability (CVE-2002-1695)
PHP Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0185)