CVE-2015-6670

Name of the Vulnerable Software and Affected Versions ownCloud Server versions prior to 7.0.8 ownCloud Server versions 8.0.x prior to 8.0.6 ownCloud Server versions 8.1.x prior to 8.1.1

Description The issue is related to improper ownership checking of calendars, allowing remote authenticated users to read arbitrary calendars. This can be achieved by manipulating the calid parameter in the "apps/calendar/export.php" endpoint. The vulnerability is associated with an authorization bypass via a user-controlled key, enabling a remote attacker to read data from arbitrary calendars.

Recommendations For ownCloud Server versions prior to 7.0.8, update to version 7.0.8 or later. For ownCloud Server versions 8.0.x prior to 8.0.6, update to version 8.0.6 or later. For ownCloud Server versions 8.1.x prior to 8.1.1, update to version 8.1.1 or later. As a temporary workaround, consider restricting access to the "apps/calendar/export.php" endpoint to minimize the risk of exploitation. Avoid using the calid parameter in the affected endpoint until the issue is resolved.