< go back to overview

User enumeration with error messages

Platform: ownCloud Server

Versions: 8.1.11, 8.2.9, 9.0.7, 9.1.3,

Date: 2/2/2017

Risk level: Medium

CVSS v3 Base Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CWE: Information Exposure Through Discrepancy (CWE-203)


This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not

Affected Software

Action Taken

Hide sensitive information in error messages


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

Share this