Cross Site Request Forgery in the ocs api

Dec 30, 2020

  • Risk: medium
  • CVSS v3 Base Score: 4.3
  • CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CWE ID: CWE-352
  • CWE Name: Cross-Site Request Forgery (CSRF)


The CSRF token was not properly checked on cookie authenticated requests against the ocs api.


  • ownCloud/core version < 10.6 (CVE-2020-28644)

Action taken

We fixed the CSRF token check.


Thanks to Alessandro Groppo – Hacktive Security s.r.l.