ownCloud Cross-Site Request Forgery (CSRF) Vulnerability - CVE-2012-4393

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php (2) delBookmark.php or (3) editBookmark.php in bookmarks/ajax/ (4) calendar/delete.php (5) calendar/edit.php (6) calendar/new.php (7) calendar/update.php (8) event/delete.php (9) event/edit.php (10) event/move.php (11) event/new.php (12) import/import.php (13) settings/setfirstday.php (14) settings/settimeformat.php (15) share/changepermission.php (16) share/share.php (17) or share/unshare.php in calendar/ajax/ (18) external/ajax/setsites.php (19) files/ajax/delete.php (20) files/ajax/move.php (21) files/ajax/newfile.php (22) files/ajax/newfolder.php (23) files/ajax/rename.php (24) files_sharing/ajax/email.php (25) files_sharing/ajax/setpermissions.php (26) files_sharing/ajax/share.php (27) files_sharing/ajax/toggleresharing.php (28) files_sharing/ajax/togglesharewitheveryone.php (29) files_sharing/ajax/unshare.php (30) files_texteditor/ajax/savefile.php (31) files_versions/ajax/rollbackVersion.php (32) gallery/ajax/createAlbum.php (33) gallery/ajax/sharing.php (34) tasks/ajax/addtask.php (35) tasks/ajax/addtaskform.php (36) tasks/ajax/delete.php or (37) tasks/ajax/edittask.php in apps/ or administrators for requests that use (38) changepassword.php (39) creategroup.php (40) createuser.php (41) disableapp.php (42) enableapp.php (43) lostpassword.php (44) removegroup.php (45) removeuser.php (46) setlanguage.php (47) setloglevel.php (48) setquota.php or (49) togglegroups.php in settings/ajax/.