< go back to overview

Public-Link Password-Bypass via Image-Previews

Platform: ownCloud Server

Versions: 10.3,

Date: 2/28/2020

– Risk: Low
– CVSS v3 Base Score: 3.1
– CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
– CWE ID: 284
– CWE Name: Improper Access Control

It was possible to access the preview-image of a password-protected public-link. The severity of the issue is
reduced to low because the attacker needs to know the public-link hash and the original filename of the image.

– owncloud/core < v10.4

Action taken
Applied access-control to preview-images.

Alessandro Groppo – Hacktive Security s.r.l.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.