Description

apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.

Remediation

References

CVE-2013-2043

Related Vulnerabilities

Lighttpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2014-2324)

Oracle Database Server CVE-2010-2412 Vulnerability (CVE-2010-2412)

Atlassian Jira URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-13401)

Internet Information Services Other Vulnerability (CVE-2001-0096)

WordPress Plugin Disqus Comment System Multiple Cross-Site Request Forgery Vulnerabilities (2.77)

Severity

Medium

Classification

CVE-2013-2043 CWE-264

Tags

Missing Update Known Vulnerabilities