ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands.
It is recommended that all instances are upgraded to ownCloud Server 5.0.1.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: