CVE-2013-1851
published 2014-03-14CVE-2013-1851: Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows…
PriorityP419low3.5CVSS 2.0
AVNACMAuSCNIPAN
EPSS
1.17%
63.5th percentile
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| owncloud | owncloud | <= 4.0.12 | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4461 cumin: filtering table operator not checked, leads to potential SQLi
bugzilla·2013-10-07·CVSS 7.5
CVE-2013-4461 [HIGH] CVE-2013-4461 cumin: filtering table operator not checked, leads to potential SQLi
CVE-2013-4461 cumin: filtering table operator not checked, leads to potential SQLi
A flaw was found in the way cumin parsed POST request data. A remote attacker could potentially use this flaw to perform SQL injection attacks on cumin's database.
Discussion:
Acknowledgements:
This issue was discovered by Tomáš Nováčik of the Red Hat MRG Quality Engineering team.
---
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2013:1852 https://rhn.redhat.com/errata/RHSA-2013-1852.html
---
This issue has been addressed in following products:
MRG for RHEL-5 v. 2
Via RHSA-2013:1851 https://rhn.redhat.com/errata/RHSA-2013-1851.html
Bugzilla
CVE-2013-4414 cumin: non-persistent XSS possible due to not escaping set limit form input
bugzilla·2013-08-19·CVSS 4.3
CVE-2013-4414 [MEDIUM] CVE-2013-4414 cumin: non-persistent XSS possible due to not escaping set limit form input
CVE-2013-4414 cumin: non-persistent XSS possible due to not escaping set limit form input
It was found that cumin did not properly escape input from the "Max allowance" field in the "Set limit" form of the cumin web interface. A remote attacker could use this flaw to perform cross-site scripting (XSS) attacks against victims by tricking them into visiting a specially crafted URL.
Discussion:
Acknowledgements:
This issue was discovered by Tomáš Nováčik of the Red Hat MRG Quality Engineering team.
---
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2013:1852 https://rhn.redhat.com/errata/RHSA-2013-1852.html
---
This issue has been addressed in following products:
MRG for RHEL-5 v. 2
Via RHSA-2013:1851 https://rhn.redhat.com/errata/RHSA-2013-1851.h
Bugzilla
CVE-2013-4405 cumin: CSRF protection does not work
bugzilla·2013-08-19·CVSS 6.8
CVE-2013-4405 [MEDIUM] CVE-2013-4405 cumin: CSRF protection does not work
CVE-2013-4405 cumin: CSRF protection does not work
It was found that multiple forms in the cumin web interface did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who is logged into the cumin web interface, into visiting a specially crafted URL, the attacker could perform actions in the context of the logged in user.
Discussion:
Acknowledgements:
This issue was discovered by Tomáš Nováčik of the Red Hat MRG Quality Engineering team.
---
This issue has been addressed in following products:
MRG for RHEL-6 v.2
Via RHSA-2013:1852 https://rhn.redhat.com/errata/RHSA-2013-1852.html
---
This issue has been addressed in following products:
MRG for RHEL-5 v. 2
Via RHSA-2013:1851 https://rhn.redhat.com/errata/RHSA-2013-1851.html
2014-03-14
Published