CVE-2013-0300

Name of the Vulnerable Software and Affected Versions ownCloud versions 4.5.x through 4.5.6

Description The issue allows remote attackers to hijack the authentication of users for various requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, attackers can change the default view via the v parameter to "apps/calendar/ajax/changeview.php", mount arbitrary Google Drive or Dropbox folders via vectors related to "addRootCertificate.php", "dropbox.php", and "google.php" in "apps/files external/ajax/", or change the authentication server URL via unspecified vectors to "apps/user webdavauth/settings.php".

Recommendations For ownCloud versions 4.5.x through 4.5.6, update to version 4.5.7 to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "apps/calendar/ajax/changeview.php", "apps/files external/ajax/addRootCertificate.php", "apps/files external/ajax/dropbox.php", "apps/files external/ajax/google.php", and "apps/user webdavauth/settings.php", until the update is applied.