< go back to overview

User enumeration with error messages

Platform: ownCloud Server

Versions: 8.1.11, 8.2.9, 9.0.7, 9.1.3,

Date: 2/2/2017

Risk level: Medium

CVSS v3 Base Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CWE: Information Exposure Through Discrepancy (CWE-203)

Description

This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not

Affected Software

Action Taken

Hide sensitive information in error messages

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close