Public-Link Password-Bypass via Image-Previews
Platform: ownCloud Server
– Risk: Low
– CVSS v3 Base Score: 3.1
– CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
– CWE ID: 284
– CWE Name: Improper Access Control
It was possible to access the preview-image of a password-protected public-link. The severity of the issue is
reduced to low because the attacker needs to know the public-link hash and the original filename of the image.
– owncloud/core < v10.4
Applied access-control to preview-images.
Alessandro Groppo – Hacktive Security s.r.l.