cve-2013-0299
Vulnerability from cvelistv5
Published
2014-03-14 17:00
Modified
2024-08-06 14:18
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.
References
secalert@redhat.comhttp://owncloud.org/about/security/advisories/oC-SA-2013-004/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://owncloud.org/about/security/advisories/oC-SA-2013-004/Vendor Advisory
Impacted products
Vendor Product Version
n/a n/a Version: n/a
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:18:09.780Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2013-02-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2014-03-14T16:57:00",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-0299",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/",
              "refsource": "CONFIRM",
              "url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-0299",
    "datePublished": "2014-03-14T17:00:00",
    "dateReserved": "2012-12-06T00:00:00",
    "dateUpdated": "2024-08-06T14:18:09.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-0299\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-03-14T17:55:06.937\",\"lastModified\":\"2024-11-21T01:47:15.417\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.\"},{\"lang\":\"es\",\"value\":\"M\u00faltiples vulnerabilidades de CSRF en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para solicitudes que (1) cambian la zona horaria para el usuario a trav\u00e9s de los par\u00e1metros lat y lng hacia apps/calendar/ajax/settings/guesstimezone.php, (2) deshabilitan o habilitan la detecci\u00f3n de zona horaria automatica a trav\u00e9s del par\u00e1metro timezonedetection hacia apps/calendar/ajax/settings/timezonedetection.php, (3) importan cuentas de usuario a trav\u00e9s del par\u00e1metro admin_export hacia apps/admin_migrate/settings.php, (4) sobreescriben archivos de usuario a trav\u00e9s del par\u00e1metro operation hacia apps/user_migrate/ajax/export.php o (5) cambian la URL del servidor de autenticaci\u00f3n a trav\u00e9s de vectores no especificados hacia apps/user_ldap/settings.php.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.0.11\",\"matchCriteriaId\":\"5861C327-743A-41DF-8326-1696620194D3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A1021FF-2A5A-49AA-A376-09C98FECC519\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F6C12F7-5897-4DBB-A9AB-8180101F37C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E9CC055C-CFA3-4A23-AF91-83F7F087F282\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:3.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AA5445B4-9115-4D31-9DF9-E7E30CAF1FFD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8FAE7D90-6190-44E2-B4EA-F47FF3263BE6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C7BAB402-B6A0-4314-A37A-C9465157BF5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A32BED8-F428-44D3-BEAC-E0BB0208B6B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F46F53A9-52B2-41D6-859B-9062B1F02B86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"875B306F-92A2-4360-979E-2B53466A33F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6EB01EA3-3071-424F-9586-83CD208D5CAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4A704201-6D06-4D01-9A28-3D873ABE1AC7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1D5E8BD-2264-482E-ABA9-F83D2A13EF88\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6C88496-C383-4C6B-ABCC-362EF6C6DC0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B3F1BD85-6443-438C-9490-C39BD6970F00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.0.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"786C0B60-FFF9-4B54-91AD-C8A177FF7D5F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B362D262-CB7A-4987-AD26-406E20DE9BCD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DC3B9287-AC9F-488B-A6F4-1AC822BBBAE4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF01655F-80A2-4A6B-9F30-18E39581F971\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E08AB56D-506A-4D31-AD83-12A5937393B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"99D723BA-E386-456D-8BC3-91390798B4B4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75538474-59FA-444C-865C-7B401A491476\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:owncloud:owncloud:4.5.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9852A84C-BAA9-43E7-BD30-D6F5D752502E\"}]}]}],\"references\":[{\"url\":\"http://owncloud.org/about/security/advisories/oC-SA-2013-004/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://owncloud.org/about/security/advisories/oC-SA-2013-004/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.