Description

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.

Remediation

References

CVE-2013-0299

Related Vulnerabilities

WordPress Plugin GiveWP-Donation and Fundraising Platform Cross-Site Scripting (0.8)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2013-1836)

WordPress Ultimate Member Plugin Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2024-8520)

phpMyAdmin Improper Input Validation Vulnerability (CVE-2016-6630)

Magento Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-7944)

Severity

Medium

Classification

CVE-2013-0299 CWE-352

Tags

Missing Update Known Vulnerabilities