CVE-2013-0304

ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.

Published: Jun 5, 2014
Updated: Apr 13, 2023
CVE: CVE-2013-0304
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
owncloud / owncloud	4.5.1	4.5.1.x
owncloud / owncloud	4.5.0	4.5.0.x
owncloud / owncloud	4.5.2	4.5.2.x
owncloud / owncloud	-	4.5.6.x
owncloud / owncloud	4.5.4	4.5.4.x
owncloud / owncloud	4.5.3	4.5.3.x
owncloud / owncloud	4.5.5	4.5.5.x

http://owncloud.org/about/security/advisories/oC-SA-2013-007/
http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf

Vulnerability Database

289,697

CVE-2013-0304