CVE-2013-2043

owncloud < 4.5.11 and 5.x < 5.0.6 - Authenticated Arbitrary Calendar Download via calendar_id Parameter

Title source: llm
STIX 2.1

Description

apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
http://owncloud.org/about/security/advisories/oC-SA-2013-024/

Scores

EPSS 0.0018
EPSS Percentile 38.7%

Details

CWE
CWE-264
Status published
Products (17)
owncloud/owncloud < 4.5.10
owncloud/owncloud_server 4.5.0
owncloud/owncloud_server 4.5.1
owncloud/owncloud_server 4.5.2
owncloud/owncloud_server 4.5.3
owncloud/owncloud_server 4.5.4
owncloud/owncloud_server 4.5.5
owncloud/owncloud_server 4.5.6
owncloud/owncloud_server 4.5.7
owncloud/owncloud_server 4.5.8
... and 7 more
Published Mar 14, 2014
Tracked Since Feb 18, 2026