- Risk: low
- CVSS v3 Base Score: 3.1
- CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
- CWE ID: 352
- CWE Name: Cross-Site Request Forgery (CSRF)
- CVE: CVE-2024-42014
Description
Improper handling of CSRF protection in the diagnostics app in combination with the `SameSite`-Cookie setting being set to `None` allows cross site invocation of an admin API.
Affected
- ownCloud (owncloud/core) <10.15.0
- ownCloud (owncloud/diagnostics) <0.2.1
Action taken
Upgrade ownCloud 10 Server to version 10.15.0 or above.