The developers of the open source cloud storage and collaboration suite ownCloud released an update to their software that closes critical vulnerabilities.
Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users’ calendars.
Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF).
The ownCloud server can also end up misused as a spam source by turning it into an open email redirector, a problem, which the developers fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud’s Change Log web page.
Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible.
Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. Users can download the updated versions of ownCloud from the project’s web site.