Candidate: CVE-2012-4393
PublicDate: 2012-09-05 23:55:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4393
 http://www.openwall.com/lists/oss-security/2012/09/01
Description:
 Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud
 before 4.0.6 allow remote attackers to hijack the authentication of
 arbitrary users for requests that use (1) addBookmark.php, (2)
 delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4)
 calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7)
 calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10)
 event/move.php, (11) event/new.php, (12) import/import.php, (13)
 settings/setfirstday.php, (14) settings/settimeformat.php, (15)
 share/changepermission.php, (16) share/share.php, (17) or share/unshare.php
 in calendar/ajax/; (18) external/ajax/setsites.php, (19)
 files/ajax/delete.php, (20) files/ajax/move.php, (21)
 files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23)
 files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25)
 files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php,
 (27) files_sharing/ajax/toggleresharing.php, (28)
 files_sharing/ajax/togglesharewitheveryone.php, (29)
 files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php,
 (31) files_versions/ajax/rollbackVersion.php, (32)
 gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34)
 tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36)
 tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or
 administrators for requests that use (38) changepassword.php, (39)
 creategroup.php, (40) createuser.php, (41) disableapp.php, (42)
 enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45)
 removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48)
 setquota.php, or (49) togglegroups.php in settings/ajax/.
Ubuntu-Description:
Notes:
 mdeslaur> owncloud packages in Ubuntu are now empty
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=686567
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_owncloud:
 upstream: https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f
 upstream: https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f
 upstream: https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745
upstream_owncloud: released (4.0.6)
hardy_owncloud: DNE
lucid_owncloud: DNE
natty_owncloud: ignored (reached end-of-life)
oneiric_owncloud: ignored (reached end-of-life)
precise_owncloud: not-affected
quantal_owncloud: not-affected (4.0.6debian-0ubuntu1)
raring_owncloud: not-affected (4.0.6debian-0ubuntu1)
saucy_owncloud: not-affected (4.0.6debian-0ubuntu1)
trusty_owncloud: not-affected (4.0.6debian-0ubuntu1)
trusty/esm_owncloud: DNE (trusty was not-affected [4.0.6debian-0ubuntu1])
utopic_owncloud: DNE
vivid_owncloud: DNE
wily_owncloud: DNE
devel_owncloud: DNE